CVE-2023-5678: Excessive time spent in DH check / generation with large Q parameter value
Issue summary: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_generate_key() to
generate an X9.42 DH key may experience long delays. Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters.
Likewise, while DH_generate_key() performs a check for an excessively large
P, it doesn't check for an excessively large Q.
An application that calls DH_generate_key() or DH_check_pub_key() and
supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.
DH_generate_key() and DH_check_pub_key() are also called by a number of
other OpenSSL functions. An application calling any of those other
functions may similarly be affected. The other functions affected by this
are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().
Also vulnerable are the OpenSSL pkey command line application when using the
"-pubcheck" option, as well as the OpenSSL genpkey command line application.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
Security readout for executives and security teams
Plain-English summary
CVE-2023-5678 can make affected OpenSSL-based applications spend excessive CPU time handling unusually large X9.42 Diffie-Hellman values. The main business risk is denial of service, not data theft. OpenSSL says its SSL/TLS implementation and OpenSSL 3.0/3.1 FIPS providers are not affected.
Executive priority
Treat as a moderate availability risk. Prioritize systems that process user-supplied cryptographic keys or parameters, especially internet-facing services and vendor products bundling OpenSSL. Broad emergency action is not supported by the provided evidence.
Technical view
Affected OpenSSL functions include DH_generate_key(), DH_check_pub_key(), DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Large X9.42 DH Q, and in some checks large P, can cause long delays when keys or parameters come from untrusted sources. The pkey -pubcheck and genpkey command-line uses are also vulnerable.
Likely exposure
Exposure is most likely in applications, appliances, or scripts that accept untrusted X9.42 DH keys or parameters and call affected OpenSSL APIs. General OpenSSL presence alone is not enough evidence. TLS-only use appears out of scope based on the OpenSSL advisory.
Exploitation context
The source bundle marks KEV as false and provides no evidence of active exploitation. The condition is remotely relevant where an unauthenticated user can supply DH material that is later checked or used for generation. Impact is availability degradation through slow processing.
Researcher notes
CWE-606 fits the uncontrolled resource-consumption pattern. The key nuance is scope: affected API paths differ from OpenSSL TLS, and FIPS providers are excluded. Validate actual code paths before declaring exposure. Evidence provided supports patches but not exploit activity.
Mitigation direction
Inventory affected OpenSSL versions and uses of X9.42 DH validation or generation.
Upgrade to vendor-fixed OpenSSL releases where applicable.
Apply downstream vendor updates for embedded OpenSSL in appliances and operating systems.
Reduce or reject untrusted DH parameter intake where business logic allows.
Monitor vendor advisories for products bundling OpenSSL.
Validation and detection
Confirm whether applications call the affected OpenSSL functions with untrusted inputs.
Check deployed OpenSSL versions against vendor-fixed release guidance.
Verify TLS-only services are not misclassified as exposed.
Review command-line jobs using pkey -pubcheck or genpkey.
Track downstream advisories for NetApp, Debian, Siemens, and other suppliers.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-606: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.