CVE-2023-5678: 
OpenSSL vulnerability analysis and mitigation

CVE-2023-5678 is a vulnerability in OpenSSL affecting versions 3.1 (prior to 3.1.5), 3.0 (prior to 3.0.13), 1.1.1.x, and 1.0.2 (prior to 1.0.2zj). The vulnerability was discovered on August 16, 2023, and publicly disclosed on November 6, 2023. It affects applications that use DHgeneratekey() or DHcheckpub_key() functions when handling X9.42 DH keys or parameters (OpenSSL Advisory).

The vulnerability occurs when generating or checking excessively long X9.42 DH keys or parameters, which can cause significant processing delays. While DHcheck() performs necessary checks for excessively large P and Q parameters (as of CVE-2023-3817), DHcheckpubkey() doesn't implement these checks, making it vulnerable to attacks using excessively large P and Q parameters. Similarly, DHgeneratekey() checks for an excessively large P but not for an excessively large Q. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

When exploited, this vulnerability can lead to Denial of Service (DoS) attacks. Applications using DHgeneratekey() to generate X9.42 DH keys or DHcheckpubkey(), DHcheckpubkeyex(), or EVPPKEYpubliccheck() to check X9.42 DH keys or parameters may experience long delays, particularly when processing keys or parameters from untrusted sources (OpenSSL Advisory).

The vulnerability has been fixed in OpenSSL versions 3.1.5, 3.0.13, and 1.0.2zj. For users unable to upgrade immediately, it's important to note that the OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. The fix includes additional checks for excessively large P and Q parameters in both DHgeneratekey() and DHcheckpub_key() functions (OpenSSL Advisory).