CVE-2023-5678 - Slowdowns and Denial of Service in OpenSSL’s X9.42 DH Key Handling

OpenSSL is practically everywhere—servers, appliances, embedded systems—handling cryptographic functions. But sometimes, even the most trusted code has overlooked weak spots. CVE-2023-5678 is one such example, affecting how OpenSSL processes Diffie-Hellman (DH) keys under the X9.42 standard.

In this post, we’ll break down what’s at stake, show you how it works, and explain how attackers might use it to cripple services. We’ll keep things clear, avoiding jargon where possible, and add code samples and helpful links along the way.

Issue Summary: Where Things Went Wrong

OpenSSL offers different functions for generating and checking DH keys and parameters. Some of these, like DH_generate_key() and DH_check_pub_key(), don’t fully validate if you give them excessively large numbers (namely, the P and Q parameters in DH). These large numbers can cause these functions to take a very long time to run. If an attacker can feed you crafted data, they may slow down your app or even block it entirely—a classic DoS (Denial of Service).

OpenSSL CLI (pkey with -pubcheck, genpkey)

Note: Normal HTTPS with OpenSSL (SSL/TLS) is *not* affected.

Impact: How an Attacker Can Hurt You

Let’s face it: cloud servers, VPNs, and crypto-heavy apps often accept keys or parameters from the public. If your application uses one of the affected functions and gets DH params from an untrusted source (such as a client upload or API payload), an attacker can send a booby-trapped X9.42 DH key or parameters, making your app hang for a long time.

How Does This Work?

DH keys are based on huge prime numbers—P and Q. OpenSSL is supposed to check that these numbers aren’t *too* big, but:

DH_generate_key() checks P, but skips the check on Q.

This means that if you call these functions with a key or parameters with P or Q way bigger than normal, OpenSSL chugs through giant math operations. It takes up huge CPU time, blocking other work.

Here’s a simple C example that shows an application checking a public DH key – the unsafe way

#include <openssl/dh.h>

void unsafe_check_pubkey(BIGNUM *pub_key, DH *dh) {
    int codes = ;
    // VLNERABLE: No length check on parameters!
    if (!DH_check_pub_key(dh, pub_key, &codes)) {
        // error handling
    }
}

int main(void) {
    DH *dh = DH_new();
    // ...load or receive DH params from untrusted source (DANGEROUS)...
    BIGNUM *pub_key = /* attacker-supplied value */;
    unsafe_check_pubkey(pub_key, dh);
    // If pub_key, P, or Q are huge, CPU time explodes
    return ;
}

If using the cryptography Python library (which can link to OpenSSL underneath)

from cryptography.hazmat.primitives.asymmetric import dh

# Attacker sends giant parameters:
bad_p = 2 ** 20000 + 1  # Way too big!
bad_g = 2
parameters = dh.DHParameterNumbers(bad_p, bad_g).parameters()
try:
    public_key = parameters.generate_private_key().public_key()
    print(public_key.public_numbers())
except Exception as e:
    print("This could take forever, or crash: ", e)

Exploitation Scenario

An attacker can generate bogus DH parameters with giant P or Q values, send them to your API or service, and trigger:

Original References & Fixes

- OpenSSL Security Advisory for CVE-2023-5678
- OpenSSL Change log / fixes
- NIST X9.42 standard (specification background)
- CVE Details for CVE-2023-5678

Patching:
Upgrade to OpenSSL 3..12, 3.1.4, or 3.2. (or higher). These versions hard-cap the size of P and Q in DH parameter checks and generation.

Limit Input Size

If you *must* accept uploaded DH keys or parameters, check their bit lengths (e.g., no more than 8192 bits for P or Q) *before* passing to OpenSSL.

Validate Sources

Ideally, never accept cryptographic parameters from untrusted sources. Generate or fetch them from trusted parties only.

Conclusion

CVE-2023-5678 is a reminder that *some* crypto libraries trust their inputs too much. Even if no memory corruption is involved, resource exhaustion can sneak through logic bugs like missing size checks. If your app passes DH keys or parameters from users or network peers into OpenSSL’s affected functions, you must patch and validate!

Stay secure. If you’re unsure, audit any usage of DH_generate_key(), DH_check_pub_key(), EVP_PKEY_public_check(), and related calls—especially where they touch untrusted data.

For further reading and official details

- OpenSSL Security Advisories
- CVE-2023-5678 at Mitre
- OpenSSL source code diffs

Timeline

Published on: 11/06/2023 16:15:42 UTC
Last modified on: 11/21/2023 16:54:10 UTC