CVE-2023-28113

Name of the Vulnerable Software and Affected Versions russh versions 0.34.0 through 0.36.1 russh versions 0.37.0

Description The issue is related to insufficient Diffie-Hellman key validation, which can lead to insecure shared secrets and break confidentiality. This can result in eavesdropping, particularly in connections between a russh client and server or those of a russh peer with some other misbehaving peer. Most other implementations reject such keys, making this mainly an interoperability issue. The problem arises because russh does not validate Diffie-Hellman keys, accepting received DH public keys where e is less than 0, equal to 1, or greater than or equal to p-1 from a misbehaving peer, and successfully performs key exchange. This violates RFC 4253 and RFC 8268, which state that DH public key values must be checked to ensure 1 < e < p-1 and 1 < f < p-1. Additionally, the code does not ensure that the generated secret key y is in the valid interval 0 < y < q.

Recommendations For russh versions 0.34.0 through 0.36.1, update to version 0.36.2 or later. For russh version 0.37.0, update to version 0.37.1 or later. As a temporary workaround, consider restricting the use of Diffie-Hellman key exchange until a patch is available.