Vulnerable kex-algorithms and ciphers

Hi,

The vulnerabilities:

  • Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH, D(HE)ater)

  • Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSL/TLS, D(HE)ater)

with the CVEs:

  • CVE-2002-20001 and CVE-2022-40735

are given a 30% QoD value. Why is that?

I understand why the 30% value is given for software versions where it is possible that a backport patch exists that is not visible remotely. However, the kex-algorithms and ciphers do not face the same problem. The detection of the ciphers are given a 98% QoD, so why are the vulnerability regarding the same ciphers given a 30% QoD? What is not reliable about the detection of the vulnerability in this case?

Best regards
Bob

This is due to the following available mitigations mentioned in the “solution” tag of the VTs in question:

  • Limit the maximum number of concurrent connections in e.g. the configuration of the remote server. For OpenSSH this limit can be configured via the ‘MaxStartups’ option, for other products please refer to the manual of the product in question on configuration possibilities.

and

  • Limit the maximum number of concurrent connections in e.g. the configuration of the remote server. For Postfix this limit can be configured via ‘smtpd_client_new_tls_session_rate_limit’ option, for other products please refer to the manual of the product in question on configuration possibilities.

To the best of my knowledge it is actually not enough to have the affected ciphers enabled to be vulnerable and mitigations are available like mentioned above. Because of this the VTs in question have a lower Quality of Detection as they are not “actively” checking for the DoS situation.

6 Likes