CVE-2016-0701

Vulnerability

The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 up to (but excluding) 1.0.2f does not ensure that prime numbers used for Diffie-Hellman key exchange are appropriate (i.e., 'safe' primes). Starting in version 1.0.2, OpenSSL added support for generating X9.42-style parameter files (such as those for RFC 5114), which may contain primes that are not safe and allow small-subgroup attacks. An attacker can exploit this weakness by completing multiple handshakes with a peer that reuses the same private DH exponent, eventually recovering the private key. [1][2]

Exploitation

To exploit this vulnerability, an attacker must complete multiple TLS handshakes with a peer (server) that uses the same private DH exponent across sessions. This occurs when the server is configured with DH parameters based on unsafe primes and either uses a static DH ciphersuite (key embedded in the certificate) or uses ephemeral DH (DHE) without the SSL_OP_SINGLE_DH_USE option (which is not set by default). In such cases, the server reuses the private exponent for the lifetime of the process. The attacker performs repeated handshakes, sending chosen DH public values to probe for small subgroups, and from the responses deduces the private exponent. [1][2]

Impact

Successful exploitation allows a remote attacker to recover the victim server's private DH exponent. With this, the attacker can decrypt past or future TLS sessions (for static DH ciphersuites) or, in the case of reused ephemeral keys, decrypt the specific handshakes performed. This leads to a breach of confidentiality of the encrypted communications. The attack is limited to servers using unsafe primes and reusing the same private exponent; many popular applications (e.g., Apache mod_ssl) set SSL_OP_SINGLE_DH_USE and are not at risk for DHE. However, static DH ciphersuites remain vulnerable regardless. [1][2]

Mitigation

OpenSSL 1.0.2f, released on 28 January 2016, fixes the vulnerability by properly checking primes in DH parameter generation and use. Users should upgrade to version 1.0.2f or later. As a workaround, administrators can set the SSL_OP_SINGLE_DH_USE option to ensure a fresh private exponent is generated for each DHE handshake, or avoid using unsafe primes (such as those from RFC 5114). Static DH ciphersuites should be disabled if not required. OpenSSL 1.0.1 reached end-of-life on 31 December 2016 and received no further security fixes. [1][2][3][4]