The DHEat denial-of-service vulnerability involves sending a large number of Diffie-Hellman (DH) public keys to a peer, causing it to perform many unnecessary modular exponentiations and wasting CPU resources (in fact, the attacker can simply send random numbers instead of real DH keys to avoid incurring the computational penalty themselves).

Added implementation of the DHEat denial-of-service attack (see --dheat option; CVE-2002-20001).

Checker for well-known SSH vulnerabilities: Sweet32 attack, Anonymous Diffie-Hellman, NULL encryption, RC4, Non-Forward-Secret, Early SSH version, Weak Diffie-Hellman, DHEat attack, Terrapin attack

S. Pfeiffer and N. Tihanyi, “D(HE)at: A Practical Denial-of-Service Attack on the Finite Field Diffie–Hellman Key Exchange,” in IEEE Access, vol. 12, pp. 957-980, 2024, doi: 10.1109/ACCESS.2023.3347422.

The Diffie-Hellman Key Agreement Protocol enables remote attackers to send arbitrary numbers without public keys, triggering costly server-side DHE modular-exponentiation calculations. This attack requires minimal CPU resources and bandwidth, and may be more disruptive in cases where clients require server selection of largest supported key size.

The so-called DHEat Attack affects cryptographic protocols using the Diffie Hellman key exchange (incl. TLS). According to its authors, it exploits a potocol particularity that may allow attackers to perform a DoS attack “with a low-bandwidth network connection without authentication, privilege, or user interaction.”

Checker for well-known TLS vulnerabilities: Anonymous Diffie-Hellman, DHEat attack, DROWN attack, Early TLS version, Export grade ciphers, FREAK attack, Logjam attack, Lucky Thirteen attack, NULL encryption, Non-Forward-Secret, RC4, Sweet32 attack

Customers have asked about CVE 2022-40735 and whether they are vulnerable as users of wolfSSL. The short is answer is: No. But, there are ways that you can put yourself at risk. Let’s delve into the CVE and how best to protect yourself from attacks like this.

The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that ”(appropriately) short exponents” can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys.

The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that “(appropriately) short exponents” can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys.

The SCALANCE W1750D device contains multiple vulnerabilities that could allow an attacker to inject commands or exploit buffer overflow vulnerabilities which could lead to denial of service, unauthenticated remote code execution or stored XSS. Siemens has released updates for the affected products and recommends to update to the latest versions.

The configuration of supported groups in TLS servers is important to limit the resource consumption of the TLS handshakes performed by the server. This blog post should give system administrators a few useful hints on how to configure the OpenSSL library and two of the most used open source HTTP servers which use the OpenSSL library for supporting the HTTPS protocol. The CVE-2002-20001 (a.k.a DHEat attack) vulnerability inherent to the support of the Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) key exchanges in TLS and other protocols provides a way for an attacker to cause high CPU usage on servers with relatively low effort on the client side.

Mitigation for the vulnerability referenced in CVE-2002-20001

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

Security researchers from Balasys have published a new attack on Diffie-Hellman key exchange which allows remote attackers to attack network facing SSL / TLS / HTTPS / SSH services leading to excessive compute time usage even by sending small amounts of network traffic even before authentication. All applications on SUSE Linux Enterprise are affected that have DHE enabled. The Diffie-Hellman Epheremal key exchange is usually configured by default to provide perfect forward secrecy.

Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities.

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.