CVE-2024-41996
HIGHDiffie-Hellman Key Agreement Protocol - Resource Consumption
Title source: llmDescription
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
References (6)
Core 6
Core References
Various Sources
https://dheatattack.gitlab.io/details/
Various Sources
https://dheatattack.gitlab.io/faq/
Various Sources
https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-089022.html
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-265688.html
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-485750.html
Scores
CVSS v3
7.5
EPSS
0.0108
EPSS Percentile
60.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Published
Aug 26, 2024
Tracked Since
Feb 18, 2026