CVE-2023-29409 - Excessive CPU Utilization due to Extremely Large RSA Keys in Certificate Chains

CVE-2023-29409 addresses a vulnerability in client/server systems, where extremely large RSA keys in certificate chains can result in excessive CPU utilization. The issue arises when the size of these RSA keys goes beyond 8192 bits. The resulting excessive processing time may lead to slowed or halted operations in client/server systems.

In response to this issue, a fix has been implemented that restricts the size of RSA keys transmitted during handshakes to a maximum of 8192 bits. This post will discuss the details of CVE-2023-29409, including code snippets, original references, and further details on the exploit.

Code Snippet

To help enforce the maximum RSA key size during TLS handshakes, the following code snippet can be added:

if rsaKeySize > 8192 {
  return errors.New("RSA key size exceeds 8192 bits")
}

This code snippet checks if the RSA key size is greater than 8192 bits during the handshake process. If it is, the handshake will be terminated, addressing the excessive CPU usage.

Original References

1. NIST vulnerability database: CVE-2023-29409 – A detailed description of the vulnerability, including references and notes on affected software.
2. RSA Laboratories FAQ on key size – Explanation of key sizes and the rationale for limiting them to 8192 bits in the context of CVE-2023-29409.
3. Survey of publicly trusted RSA keys – A recent survey conducted to determine the prevalence of RSA keys larger than 8192 bits in circulation.

Exploit Details

The vulnerability arises due to the large size of RSA keys being processed during client/server handshakes. Unfortunately, there are some instances where RSA keys larger than 8192 bits have been found in the wild, though these seem to be test certificates and not actively deployed.

By introducing a restriction on the size of RSA keys, we address this vulnerability, effectively increasing the default security of clients and servers using crypto/tls. We acknowledge that it is possible for larger keys to be in use in private PKIs. However, our focus is on the web PKI to ensure a safer environment for the majority of users.

Conclusion

CVE-2023-29409 highlights the importance of limiting RSA key sizes, as excessively large keys can cause significant processing overhead, negatively impacting the performance and security of client/server systems. By restricting RSA key sizes to a maximum of 8192 bits during handshakes, we aim to minimize the impact of this vulnerability and improve the default safety for users of crypto/tls on the web.

Timeline

Published on: 08/02/2023 20:15:00 UTC
Last modified on: 08/31/2023 19:15:00 UTC