Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-40735
CVE-2022-40735:
OpenSSL vulnerability analysis and mitigation
Overview
The Diffie-Hellman Key Agreement Protocol allows use of long exponents that make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that shorter exponents can be used when there are adequate subgroup constraints. This vulnerability (CVE-2022-40735) enables remote attackers to trigger expensive server-side DHE modular-exponentiation calculations, potentially causing asymmetric resource consumption. The attack is particularly effective when combined with CVE-2002-20001 and can affect TLS, SSH, and IKE protocols (NIST NVD).
Technical details
The vulnerability stems from the use of unnecessarily long exponents in Diffie-Hellman calculations when shorter ones would provide adequate security with better performance. The CVSS v3.1 base score is 7.5 (High), with vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack requires that the client claims it can only communicate with DHE, and the server must be configured to allow DHE. The attacker can cause asymmetric resource consumption by using a client application that implements DHE with short exponents while forcing the server to perform calculations with long exponents (Ubuntu Security).
Impact
The primary impact is on availability through server resource consumption. An attacker can trigger unnecessarily expensive server-side DHE modular-exponentiation calculations, leading to asymmetric computational load where the server expends significantly more resources than the client. This can potentially result in denial of service conditions, particularly when combined with other attacks like D(HE)ater (DHEat Attack).
Mitigation and workarounds
Implementations should choose appropriately short private exponents that maintain security while improving performance. For example, when using safe primes, the size of the private exponent should be at least twice the desired security level in bits. Additionally, implementations should validate that the peer's public key Y is in the range 1 < Y < p-1 to prevent small subgroup attacks (RFC 4419).
Community reactions
The vulnerability has led to discussions in the security community about proper Diffie-Hellman parameter selection and implementation. Mozilla's SSL Config Generator team has considered stopping the recommendation of DHE cipher suites due to the D(HE)ater vulnerability (Mozilla Issue).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management