A resource exhaustion vulnerability, CVE-2002-20001, exists in the implementation of the Diffie-Hellman key exchange protocol.
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys and trigger expensive server-side DHE modular-exponentiation calculations, also known as a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive where a client can require a server to select its largest supported key size. The basic attack scenario requires the client to claim DHE-only communication capabilities, and the server must be configured to permit DHE.
This vulnerability affects any product or service that accepts DHE cipher suites. To mitigate the risk, Moxa has released solutions for the affected products. We recommend applying the appropriate solutions immediately.
The Identified Vulnerability Type and Potential Impact
CVE ID |
Vulnerability Type |
Impact |
CVE-2002-20001 |
CWE-400: Uncontrolled Resource Consumption
|
An attacker can force the server to perform high-cost modular exponentiation operations. This leads to significant CPU usage on the server side, potentially degrading service availability or resulting in a complete denial of service. |
Vulnerability Scoring Details
CVE ID
|
Base Score
|
Vector
|
Severity |
Unauthenticated
Remote Exploits
|
CVE-2002-20001 |
CVSS:3.1: 7.5
|
AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H
|
High |
Yes |