Bug 3387 - Will future versions of openssh not support DHE because of "dheater" vulnerability :CVE-2002-20001?
Summary: Will future versions of openssh not support DHE because of "dheater" vulnera...
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 8.8p1
Hardware: Other All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-11 14:57 AEDT by renmingshuai
Modified: 2023-03-17 13:41 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description renmingshuai 2022-02-11 14:57:39 AEDT 
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. We have repeated the attack when establish ssh connections. What will openssh do to avoid dheater?
Comment 1 Damien Miller 2022-02-11 15:04:23 AEDT 
Not based on that attack, it's AFAIK a denial of service only that is already mitigated by existing measures in sshd including LoginGraceTime and MaxStartups.
Comment 2 renmingshuai 2022-02-11 17:16:15 AEDT 
Is it a vulnerability in DHE algorithm protocol, not in openssh?
Comment 3 Damien Miller 2022-02-14 16:33:27 AEDT 
It's probably an intrinsic issue to any cryptographic key agreement protocol that an attacker can cause the server to do useless work. I don't think ECDSA or any of the PQ KEM algorithms will be any less susceptible, though they are faster so the impact is less.
Comment 4 Damien Miller 2023-03-17 13:41:34 AEDT 
OpenSSH 9.3 has been released. Close resolved bugs