Login Sign Up

CVE-2024-4603

5.3 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability allows denial-of-service attacks against applications that use OpenSSL's EVP_PKEY_param_check() or EVP_PKEY_public_check() functions with untrusted DSA keys or parameters. Attackers can supply excessively large DSA moduli to cause long processing delays. Only applications that directly call these functions with untrusted input are affected.

💻 Affected Systems

Products:
  • OpenSSL
  • Applications using OpenSSL's EVP_PKEY_param_check() or EVP_PKEY_public_check() with DSA keys
Versions: OpenSSL 3.0 and 3.1 (including FIPS providers)
Operating Systems: All operating systems running affected OpenSSL versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when applications explicitly call EVP_PKEY_param_check() or EVP_PKEY_public_check() with untrusted DSA keys/parameters. OpenSSL's SSL/TLS implementation is not affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from processing maliciously large DSA parameters, potentially affecting multiple services simultaneously.

🟠

Likely Case

Degraded performance or temporary service disruption for applications that validate DSA keys from external sources.

🟢

If Mitigated

Minimal impact if applications validate key sizes before calling vulnerable functions or use patched OpenSSL versions.

🌐 Internet-Facing: MEDIUM - Only affects specific applications that call vulnerable functions with untrusted input, not general SSL/TLS services.
🏢 Internal Only: LOW - Internal systems typically use trusted keys, reducing attack surface.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Requires only supplying large DSA parameters to vulnerable applications.

Exploitation requires applications to accept and validate untrusted DSA keys using the vulnerable functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenSSL 3.0.14 and 3.1.6

Vendor Advisory: https://www.openssl.org/news/secadv/20240516.txt

Restart Required: Yes

Instructions:

1. Update OpenSSL to version 3.0.14 or 3.1.6. 2. Recompile applications against updated OpenSSL. 3. Restart affected services.

🔧 Temporary Workarounds

Validate DSA key size before checking

all

Add size validation for DSA modulus (p parameter) before calling vulnerable functions

// Example C code: check DSA modulus size
if (BN_num_bits(dsa->p) > 10000) {
    // Reject or handle as invalid
}

Limit key processing time

linux

Implement timeout mechanisms for cryptographic operations

// Use alarm() or setitimer() to interrupt long operations
signal(SIGALRM, timeout_handler);
alarm(5); // 5 second timeout

🧯 If You Can't Patch

  • Avoid using EVP_PKEY_param_check() and EVP_PKEY_public_check() with untrusted DSA keys
  • Implement input validation to reject DSA keys with modulus larger than 10,000 bits

🔍 How to Verify

Check if Vulnerable:

Check if application code calls EVP_PKEY_param_check() or EVP_PKEY_public_check() with DSA keys from untrusted sources

Check Version:

openssl version

Verify Fix Applied:

Verify OpenSSL version is 3.0.14+ or 3.1.6+ and applications have been recompiled

📡 Detection & Monitoring

Log Indicators:

  • Unusually long processing times for DSA key validation
  • CPU spikes during cryptographic operations

Network Indicators:

  • Repeated DSA key submission attempts to vulnerable endpoints

SIEM Query:

Process monitoring for openssl pkey/pkeyparam commands with -check flag

📊 Metadata

CVE ID: CVE-2024-4603
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-606
Published: May 16, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4603, you might also want to check these:

CVE-2026-23689 7.7

This CVE describes a denial-of-service vulnerability in SAP systems where authenticated users can tr...

Same vulnerability type (CWE-606)
CVE-2024-34486 7.5

This vulnerability in Faucet SDN Ryu's parser.py allows attackers to trigger an infinite loop by sen...

Same vulnerability type (CWE-606)
CVE-2024-13931 7.2

This CVE describes a relative path traversal vulnerability in ABB's ASPECT software that allows atta...

Same vulnerability type (CWE-606)