Security Vulnerability: DHEater aka CVE-2002-20001
This document (000020510) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
All applications on SUSE Linux Enterprise are affected that have DHE enabled. The Diffie-Hellman Epheremal key exchange is usually configured by default to provide perfect forward secrecy.
Note that Elliptic Curve Diffie-Hellman is not affected by this problem.
SUSE continues to monitor if and when cryptographic libraries will develop and implement counter measures in their Diffie-Hellman code and then backport those fixes. Up to then, the DHE key exchange method should be disabled and the Elliptic Curve Diffie-Hellman method being used as a workaround.
SUSE currently recommends to disable the DHE key exchange until technological solution can be found, using methods listed in the "additional information" section. While we use DEFAULT_SUSE as a default cipher set, removing DHE unconditionally could break existing setups so SUSE will not remove this proactively at this time.
A workaround is to temporary disable DHE key exchange and only use ECDHE (Elliptic Curve Diffie-Hellman), in SSL / TLS / HTTPS using network services. You need to check if this does not cause interoperability issues.
In the SSL vhost config, add the !kDHE modifier to the use SSLCipherSuite in eg. /etc/apache2/ssl-global.conf or local overriding vhost configs,
Disable the Diffie-Hellman key exchange methods by adding to or using KexAlgorithms in /etc/ssh.d/sshd_config
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512For SLES12 SP5
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020510
- Creation Date: 05-Jul-2022
- Modified Date:05-Jul-2022
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com