CVE-2023-28113: 
Rust vulnerability analysis and mitigation

CVE-2023-28113 affects russh, a Rust SSH client and server library, versions 0.34.0 through 0.36.1 and 0.37.0. The vulnerability was discovered and disclosed on March 16, 2023. The issue involves insufficient Diffie-Hellman key validation that can lead to insecure shared secrets (GitHub Advisory).

The vulnerability stems from russh's failure to properly validate Diffie-Hellman keys during the key exchange process. The library accepts received DH public keys e where e<0, e=1, or e≥p-1 from misbehaving peers and successfully completes the key exchange. This violates RFC 4253 section 8 and RFC 8268 section 4, which require that DH Public Key values must satisfy the conditions 1 < e < p-1 and 1 < f < p-1. Additionally, the code doesn't ensure that generated secret keys are within valid intervals (GitHub Advisory). The vulnerability has a CVSS v3.1 base score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability affects any connection that uses Diffie-Hellman key exchange with russh. When exploited, it can lead to compromised connection confidentiality, potentially allowing eavesdropping on encrypted communications. The impact is particularly significant for connections between a russh client and server or when a russh peer interacts with other misbehaving peers (GitHub Advisory).

The vulnerability has been patched in versions 0.36.2 and 0.37.1. Users should upgrade to these or later versions to address the security issue. The fix includes proper validation of DH key ranges and implementation of the required security checks (GitHub Release).