bugzilla-daemon at mindrot.org
2024-Jul-16 12:14 UTC
[Bug 3711] New: How do you defend against the D (HE) ater attack?
https://bugzilla.mindrot.org/show_bug.cgi?id=3711
Bug ID: 3711
Summary: How do you defend against the D (HE) ater attack?
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: rmsh1216 at 163.com
The Diffie-Hellman key agreement protocol allows a remote attacker
(from the client) to send arbitrary numbers that are not actually
public keys and trigger an expensive server-side DHE modular
exponentiation, i.e., a D (HE) at or D (HE) ater attack. The issue has
been flagged as a vulnerability, CVE-2002-20001 and CVE-2022-40735. Is
there a way to fix this vulnerability in openssh?
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Jul-17 00:48 UTC
[Bug 3711] How do you defend against the D (HE) ater attack?
https://bugzilla.mindrot.org/show_bug.cgi?id=3711
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |djm at mindrot.org
Resolution|--- |FIXED
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Use openssh 9.8. PerSourcePenalties are on by default
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 3771] New: Will future versions of openssh provide DDoS attack defense for the DH algorithm?:CVE-2024-41996
- Defend against user enumeration timing attacks - overkill
- Defend against user enumeration timing attacks - overkill
- Defend against user enumeration timing attacks - overkill
- Defend against user enumeration timing attacks - overkill