oss-sec mailing list archives
Socat security advisory 7 - Created new 2048bit DH modulus
From: Gerhard Rieger <gerhard () dest-unreach org>
Date: Mon, 1 Feb 2016 16:32:55 +0100
Socat security advisory 7 - Created new 2048bit DH modulus
Overview
In the OpenSSL address implementation the hard coded 1024 bit DH p
parameter was not prime. The effective cryptographic strength of a key
exchange using these parameters was weaker than the one one could get by
using a prime p. Moreover, since there is no indication of how these
parameters were chosen, the existence of a trapdoor that makes possible
for an eavesdropper to recover the shared secret from a key exchange that
uses them cannot be ruled out.
A new prime modulus p parameter has been generated by Socat developer
using OpenSSL dhparam command.
In addition the new parameter is 2048 bit long.
Vulnerability Ids:
Socat security issue 7
MSVR-1499
Severity: Unknown
Affected versions
1.7.3.0
2.0.0-b8
Not affected or corrected versions
1.0.0.0 - 1.7.2.4
1.7.3.1 and later
2.0.0-b1 - 2.0.0-b7
2.0.0-b9 and later
Workaround
Disable DH ciphers
Download
The updated sources can be downloaded from:
http://www.dest-unreach.org/socat/download/socat-1.7.3.1.tar.gz
http://www.dest-unreach.org/socat/download/socat-2.0.0-b9.tar gz
Acknowledgments
Santiago Zanella-Beguelin and Microsoft Vulnerability Research (MSVR).
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Socat security advisory 7 - Created new 2048bit DH modulus Gerhard Rieger (Feb 01)
- Re: Socat security advisory 7 - Created new 2048bit DH modulus cve-assign (Feb 02)
- Re: Re: Socat security advisory 7 - Created new 2048bit DH modulus Seth Arnold (Feb 02)
- Re: Socat security advisory 7 - Created new 2048bit DH modulus Andreas Stieger (Feb 04)
- <Possible follow-ups>
- Re: Socat security advisory 7 - Created new 2048bit DH modulus cve-assign (Feb 03)
- Re: Socat security advisory 7 - Created new 2048bit DH modulus cve-assign (Feb 02)