CVE-2024-4603 Overview
CVE-2024-4603 is a Denial of Service vulnerability in OpenSSL affecting the DSA key and parameter checking functions. Applications that use EVP_PKEY_param_check() or EVP_PKEY_public_check() to verify DSA public keys or parameters may experience significant delays when processing excessively long DSA keys. When the key or parameters being checked originate from an untrusted source, this can lead to a Denial of Service condition.
The vulnerability stems from the fact that certain computations within these functions take an extraordinarily long time when the modulus (p parameter) is excessively large. While OpenSSL limits public keys to 10,000 bits for signature verification, these parameter check functions do not enforce such limits, creating an exploitable condition.
Critical Impact
Applications directly calling EVP_PKEY_param_check() or EVP_PKEY_public_check() with untrusted DSA keys can be subjected to resource exhaustion attacks, causing service unavailability. The OpenSSL pkey and pkeyparam command line tools are also affected when using the -check option.
Affected Products
- OpenSSL 3.0 series (including FIPS provider)
- OpenSSL 3.1 series (including FIPS provider)
- OpenSSL 3.2 series
- OpenSSL 3.3 series
Discovery Timeline
- May 16, 2024 - CVE-2024-4603 published to NVD
- May 16, 2024 - OpenSSL releases security advisory and patches
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-4603
Vulnerability Analysis
This vulnerability is classified under CWE-606 (Unchecked Input for Loop Condition) and CWE-834 (Excessive Iteration). The core issue lies in the absence of bounds checking on DSA modulus size during key and parameter validation operations.
When EVP_PKEY_param_check() or EVP_PKEY_public_check() processes a DSA key with an abnormally large modulus, the mathematical operations required for validation become computationally expensive. Unlike signature verification, which caps the modulus at 10,000 bits, these check functions process keys without size restrictions. An attacker can exploit this by providing specially crafted DSA keys with extremely large modulus values, causing the validation process to consume excessive CPU time.
It is important to note that OpenSSL itself does not call these functions on untrusted keys, so the SSL/TLS implementation remains unaffected. Only applications that explicitly invoke these validation functions on external input are vulnerable.
Root Cause
The root cause is the absence of modulus size validation within the EVP_PKEY_param_check() and EVP_PKEY_public_check() functions. While OpenSSL enforces a 10,000-bit limit for signature verification operations, this limit was not applied to the parameter and public key check functions. This inconsistency allows attackers to supply DSA keys with arbitrarily large modulus values that pass initial parsing but cause excessive computation during validation.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious DSA key with an excessively large modulus parameter
- Submitting this key to an application that validates DSA keys using the vulnerable functions
- The application's validation routine enters a long computational loop
- Service degradation or complete denial of service occurs due to CPU exhaustion
The attack is particularly effective against services that accept and validate cryptographic keys from untrusted sources, such as certificate validation services or key management systems.
The vulnerability is triggered when applications process untrusted DSA keys through the affected functions. The excessive computation occurs during modulus-based mathematical operations within the parameter checking routines. For technical implementation details, refer to the OpenSSL Security Advisory.
Detection Methods for CVE-2024-4603
Indicators of Compromise
- Unusual CPU spikes on systems processing cryptographic key validation
- Extended processing times for DSA key or parameter checks
- Service timeouts or unresponsiveness in applications handling certificate or key validation
- Log entries indicating prolonged operations in OpenSSL-dependent services
Detection Strategies
- Monitor CPU utilization patterns on systems running OpenSSL-dependent applications that validate external keys
- Implement logging around EVP_PKEY_param_check() and EVP_PKEY_public_check() function calls to track execution duration
- Deploy application-level timeouts for cryptographic validation operations
- Use intrusion detection systems to identify abnormally large DSA key submissions
Monitoring Recommendations
- Configure alerting for CPU exhaustion events on critical cryptographic services
- Implement request rate limiting on endpoints that accept cryptographic key material
- Monitor OpenSSL-related error logs for validation timeout events
- Track network traffic for unusually large certificate or key payloads targeting validation endpoints
How to Mitigate CVE-2024-4603
Immediate Actions Required
- Upgrade OpenSSL to a patched version immediately
- Audit application code for direct usage of EVP_PKEY_param_check() or EVP_PKEY_public_check() functions
- Implement input validation to reject DSA keys with excessive modulus sizes before passing to OpenSSL functions
- Add timeout mechanisms around key validation operations to prevent prolonged processing
Patch Information
OpenSSL has released patches addressing this vulnerability across multiple branches. The fixes introduce modulus size limits within the parameter and public key check functions, aligning them with the existing signature verification restrictions.
Patched versions and relevant commits:
Users should upgrade to OpenSSL 3.0.14, 3.1.6, 3.2.2, or 3.3.1 or later. For additional details, see the OpenSSL Security Advisory and the NetApp Security Advisory.
Workarounds
- Avoid using EVP_PKEY_param_check() or EVP_PKEY_public_check() on untrusted DSA keys until patched
- Implement application-level size checks on DSA key modulus before validation
- Use resource limits (cgroups, ulimit) to constrain CPU time for key validation processes
- Consider temporary disabling of DSA key acceptance from untrusted sources
# Example: Implement process-level CPU time limits
# Set CPU time limit to 30 seconds for the validation process
ulimit -t 30
# Or use timeout command for individual validation operations
timeout 10s openssl pkey -in untrusted_key.pem -check
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
