Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-3446
CVE-2023-3446:
OpenSSL vulnerability analysis and mitigation
Overview
CVE-2023-3446 is a low severity vulnerability discovered in OpenSSL that affects versions 3.1, 3.0, 1.1.1, and 1.0.2. The vulnerability was first detected by OSSfuzz on June 25, 2023, and was publicly disclosed on July 19, 2023. The issue affects applications that use the functions DHcheck(), DHcheckex(), or EVPPKEYparamcheck() to check DH keys or parameters (OpenSSL Advisory).
Technical details
The vulnerability occurs in the DH_check() function which performs various checks on DH parameters. While the function confirms that the modulus ('p' parameter) is not too large, it continues to perform additional checks using the modulus value even after determining it is excessive. OpenSSL normally won't use a modulus larger than 10,000 bits, but the vulnerability allows for checks on larger values. A new maximum of 32,768 bits was introduced as part of the fix (OpenSSL Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).
Impact
When exploited, this vulnerability can cause significant delays in applications that use the affected functions, potentially leading to a Denial of Service (DoS) condition. This is particularly concerning when the key or parameters being checked are obtained from untrusted sources. The vulnerability also affects the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. However, the OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue (OpenSSL Advisory).
Mitigation and workarounds
Due to the low severity of the issue, OpenSSL did not immediately issue new releases. However, fixes were made available in the OpenSSL git repository: commit fc9867c1 (for 3.1), commit 1fa20cf2 (for 3.0), and commit 8780a896 (for 1.1.1). For version 1.0.2, the fix is available to premium support customers in commit 9a0a4d3c. The fix introduces a maximum limit of 32,768 bits for DH parameter checks (OpenSSL Advisory).
Community reactions
The vulnerability prompted responses from various vendors and organizations. NetApp issued an advisory (NTAP-20230803-0011) detailing the impact on their products and providing remediation information (NetApp Advisory). Debian also released security updates to address the vulnerability in their systems (Debian Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management