CVE-2002-20001

CWE-400 — Uncontrolled Resource Consumption3 documents3 sources

Severity

7.5HIGH

EPSS

14.7%

top 5.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Access Policy Manager HPE Arubaos-cx Stormshield Stormshield Management Center +25 more

Timeline

PublishedNov 11

Latest updateApr 21

Description

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must cla…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages28 packages

▶NVDsuse/linux_enterprise_server11, 12, 15+2

▶NVDstormshield/stormshield_network_security2.7.0 — 4.3.16+1

▶NVDf5/traffix_signaling_delivery_controller5.1.0, 5.2.0+1

▶NVDhpe/arubaos-cx10.06.0000 — 10.06.0180+3

▶NVDf5/big-ip_access_policy_manager13.1.0 — 16.1.4+1

🔴Vulnerability Details

GHSA

GHSA-jx4r-qc68-xjr5: The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys,↗2022-04-21

▶

CVEList

CVE-2002-20001: The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys,↗2021-11-11

▶