Executive Summary
What is it?
D(HE)at attack (CVE-2002-20001) exploits a 20-years-old flow in the finite field Diffie-Hellman key agreement protocol (DHE) that allows remote users without any privileges to trigger expensive server-side calculations without any significant resource (CPU) requirement posing a threat of a denial-of-service (DoS) attack.
How bad is it?
D(HE)at is not a client, server implementation or cryptographic library flow, so one cannot fix it by installing a simple software update. Instead, it exploits the Diffie-Hellman key agreement protocol, meaning that a comprehensive solution to the vulnerability would require the modification of the cryptographic protocols using the DHE key agreement and the client/server or library implementations as well.
However, it is crucial to note that the attack poses a threat only to availability, it does not impact confidentiality, integrity, or scope. The CVE-2002-20001 vulnerability has a base score of 7.5 (CVSS 3.1), signifying high severity – the highest achievable by a DoS attack – but falling short of critical.
Additionally, there is a potential client/server or cryptographic library implementation flaw (CVE-2022-40735), where poorly chosen key agreement parameters (private keys size) are used, deviating from the values recommended by NIST, making expensive operation in DH key even more expensive making D(HE)at attack much more effective.
Who is vulnerable?
D(HE)at attack (CVE-2002-20001) is a flow in any cryptographic protocol, that can initiates Diffie-Hellman key agreement during the handshake. It means that any network services that use a cryptographic protocol – such as IKE, OpenVPN, SSH, TLS – is affected by the weakness, however, several circumstances affect the efficiency of an attack.
There are some cryptographic protocols in which the attack are more efficient (e.g. TLS 1.3), while others (e.g. earlier TLS versions, SSH) are less efficient, but the differences are not significant. The effectiveness of the D(HE)at attack is much more affected by the default configurations of the application servers and the implementation details of the cryptographic libraries.