CVE-2023-29409Uncontrolled Resource Consumption in Standard Library Crypto TLS

CWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 69.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GO Standard Library Crypto TLSGolang GO
Timeline
PublishedAug 2
Latest updateAug 8

Description

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we ta

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5go_standard_library/crypto_tls1.20.0-01.20.7+2
NVDgolang/go1.20.01.20.7+2

Patches

Patch: go.devPatch: go.devPatch: pkg.go.dev

🔴Vulnerability Details

4
GHSA
GHSA-xc82-5m89-g4jv: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures2023-08-02
OSV
Large RSA keys can cause high CPU usage in crypto/tls2023-08-02
CVEList
Large RSA keys can cause high CPU usage in crypto/tls2023-08-02
OSV
CVE-2023-29409: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures2023-08-02

📋Vendor Advisories

3
Microsoft
Large RSA keys can cause high CPU usage in crypto/tls2023-08-08
Red Hat
golang: crypto/tls: slow verification of certificate chains containing large RSA keys2023-08-02
Debian
CVE-2023-29409: golang-1.15 - Extremely large RSA keys in certificate chains can cause a client/server to expe...2023
CVE-2023-29409 — Uncontrolled Resource Consumption | cvebase