D(HE)ater vulnerability on HTTPS
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2023-004 | CVE-2002-20001 | 02/11/2022 | medium | v3 |
Vulnerability details
The HTTPS algorithm selection can leads to a high CPU consumption.
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Stormshield Network Security | medium | SNS is impacted |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | 02/21/2023 | Initial release |
| v2 | 08/31/2023 | Edit impacted versions |
| v3 | 11/22/2023 | Add workaround solution |
Stormshield Network Security |
CVSS v3.1 Overall Score: 5.5
|
Analysis |
Impacted version |
|
The HTTPS algorithm selection can leads to a high CPU consumption. |
|
Workaround solution |
Solution |
|
Disabling those ciphers from “Paranoiac mode” on SSL connections can mitigate the risks of this vulnerability:
This action can be realized via the “CONFIG AUTH HTTPS” CLI command. Please note that disabling these ciphers may have an impact on some browser versions. See the Stormshield Knowledge Base for more information about SSL ciphers configuration:
|
The following versions fix this vulnerability
|
| Attack Vector | Attack Complexity | Privileges Required | User Interaction | Scope | Confidentiality Impact | Integrity Impact | Availability impact |
|---|---|---|---|---|---|---|---|
| Network | Low | None | None | Unchanged | None | None | Low |
| CVSS Base score: 5.3 | CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) |
| Exploit Code Maturity | Remediation Level | Report Confidence |
|---|---|---|
| Proof of concept code | Official fix | Confirmed |
| CVSS Temporal score: 4.8 | CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C) |
| Confidentiality Requirement | Integrity Requirement | Availability Requirement |
|---|---|---|
| High | High | High |
| CVSS Environmental score: 5.5 | CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X) |