CVE-2023-5678: 
OpenSSL vulnerability analysis and mitigation

CVE-2023-5678 is a vulnerability in OpenSSL affecting versions 3.1 (prior to 3.1.5), 3.0 (prior to 3.0.13), 1.1.1.x, and 1.0.2 (prior to 1.0.2zj). The vulnerability was discovered on August 16, 2023, and publicly disclosed on November 6, 2023. It affects applications that use DH_generate_key() or DH_check_pub_key() functions when handling X9.42 DH keys or parameters (OpenSSL Advisory).

The vulnerability occurs when generating or checking excessively long X9.42 DH keys or parameters, which can cause significant processing delays. While DH_check() performs necessary checks for excessively large P and Q parameters (as of CVE-2023-3817), DH_check_pub_key() doesn't implement these checks, making it vulnerable to attacks using excessively large P and Q parameters. Similarly, DH_generate_key() checks for an excessively large P but not for an excessively large Q. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

When exploited, this vulnerability can lead to Denial of Service (DoS) attacks. Applications using DH_generate_key() to generate X9.42 DH keys or DH_check_pub_key(), DH_check_pub_key_ex(), or EVP_PKEY_public_check() to check X9.42 DH keys or parameters may experience long delays, particularly when processing keys or parameters from untrusted sources (OpenSSL Advisory).

The vulnerability has been fixed in OpenSSL versions 3.1.5, 3.0.13, and 1.0.2zj. For users unable to upgrade immediately, it's important to note that the OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. The fix includes additional checks for excessively large P and Q parameters in both DH_generate_key() and DH_check_pub_key() functions (OpenSSL Advisory).