FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSL -- Client DoS due to large DH parameter

Affected packages
libressl < 2.7.4
libressl-devel < 2.7.4
openssl < 1.0.2o_4,1
openssl-devel < 1.1.0h_2

Details

VuXML ID c82ecac5-6e3f-11e8-8777-b499baebfeaf
Discovery 2018-06-12
Entry 2018-06-12

The OpenSSL project reports:

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.

References

CVE Name CVE-2018-0732
URL https://www.openssl.org/news/secadv/20180612.txt