First published: Thu Nov 11 2021(Updated: )
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
balasys dheater | ||
SUSE Linux Enterprise Server | =15 | |
SUSE Linux Enterprise Server | =11 | |
SUSE Linux Enterprise Server | =12 | |
F5 BIG-IP and BIG-IQ Centralized Management | =7.1.0 | |
F5 BIG-IP and BIG-IQ Centralized Management | >=8.0.0<=8.2.0 | |
F5 BIG-IP Service Proxy for Kubernetes | =1.6.0 | |
F5 Traffix Systems Signaling Delivery Controller | =5.2.0 | |
F5 Traffix Systems Signaling Delivery Controller | =5.1.0 | |
F5 Access Policy Manager | >=13.1.0<=17.1.0 | |
F5 BIG-IP Advanced Firewall Manager | >=13.1.0<=17.1.0 | |
F5 BIG-IP Advanced WAF/ASM | >=13.1.0<=17.1.0 | |
F5 BIG-IP Analytics | >=13.1.0<=17.1.0 | |
F5 BIG-IP Application Acceleration Manager | >=13.1.0<=17.1.0 | |
F5 Application Security Manager | >=13.1.0<=17.1.0 | |
F5 BIG-IP Application Visibility and Reporting | >=13.1.0<=17.1.0 | |
F5 BIG-IP Carrier-Grade NAT | >=13.1.0<=17.1.0 | |
F5 BIG-IP DDoS Hybrid Defender | >=13.1.0<=17.1.0 | |
F5 BIG-IP | >=13.1.0<=17.1.0 | |
F5 BIG-IP Edge Gateway | >=13.1.0<=17.1.0 | |
F5 BIG-IP Fraud Protection Service | >=13.1.0<=17.1.0 | |
Riverbed SteelApp Traffic Manager | >=13.1.0<=17.1.0 | |
F5 BIG-IP Link Controller | >=13.1.0<=17.1.0 | |
Riverbed SteelApp Traffic Manager | >=13.1.0<=17.1.0 | |
F5 BIG-IP Policy Enforcement Manager | >=13.1.0<=17.1.0 | |
F5 BIG-IP SSL Orchestrator | >=13.1.0<=17.1.0 | |
F5 BIG-IP WebAccelerator | >=13.1.0<=17.1.0 | |
F5 WebSafe | >=13.1.0<=17.1.0 | |
F5 F5OS | =1.5.1 | |
F5 F5OS | =1.5.0 | |
F5 F5OS | >=1.3.0<=1.3.2 | |
F5 F5OS | =1.3.1 | |
F5 F5OS | =1.3.0 | |
All of | ||
Siemens SCALANCE W1750D | ||
Siemens Scalance W1750D Firmware | ||
F5 Traffix Systems Signaling Delivery Controller | =5.1.0 | |
F5 Traffix Systems Signaling Delivery Controller | =5.2.0 | |
All of | ||
Any of | ||
Aruba Networks AOS-CX Firmware | >=10.06.0000<10.06.0180 | |
Aruba Networks AOS-CX Firmware | >=10.07.0000<10.07.0030 | |
Aruba Networks AOS-CX Firmware | >=10.08.0000<10.08.0010 | |
Aruba Networks AOS-CX Firmware | >=10.09.0000<10.09.0002 | |
Any of | ||
Aruba Networks CX 4100i | ||
Aruba Networks CX 6100 | ||
HPE Aruba CX 6200F 48G | ||
HPE Aruba CX 6200M | ||
Aruba CX 6300 | ||
HPE Aruba CX 6300M 48G | ||
HPE Aruba CX 6405 | ||
HPE Aruba CX 6410 | ||
HPE Aruba CX 8320-32 | ||
HPE Aruba 8325-32C | ||
Aruba CX 8325 | ||
Aruba CX 8360 | ||
Aruba CX 8360 | ||
HPE Aruba 8360-24XF2C | ||
Aruba CX 8360 | ||
Aruba CX 8360 | ||
Aruba CX 8360 | ||
HPE Aruba 8400X | ||
Stormshield Management Center | <3.3.3 | |
Stormshield Network Security | >=2.7.0<4.3.16 | |
Stormshield Network Security | >=4.4.0<4.6.3 | |
Siemens SCALANCE W1750D | ||
Siemens Scalance W1750D Firmware | ||
Aruba Networks AOS-CX Firmware | >=10.06.0000<10.06.0180 | |
Aruba Networks AOS-CX Firmware | >=10.07.0000<10.07.0030 | |
Aruba Networks AOS-CX Firmware | >=10.08.0000<10.08.0010 | |
Aruba Networks AOS-CX Firmware | >=10.09.0000<10.09.0002 | |
Aruba Networks CX 4100i | ||
Aruba Networks CX 6100 | ||
HPE Aruba CX 6200F 48G | ||
HPE Aruba CX 6200M | ||
Aruba CX 6300 | ||
HPE Aruba CX 6300M 48G | ||
HPE Aruba CX 6405 | ||
HPE Aruba CX 6410 | ||
HPE Aruba CX 8320-32 | ||
HPE Aruba 8325-32C | ||
Aruba CX 8325 | ||
Aruba CX 8360 | ||
Aruba CX 8360 | ||
HPE Aruba 8360-24XF2C | ||
Aruba CX 8360 | ||
Aruba CX 8360 | ||
Aruba CX 8360 | ||
HPE Aruba 8400X | ||
F5 BIG-IP Access Policy Manager | =17.0.0 | 17.1.0 |
F5 BIG-IP Access Policy Manager | >=16.1.0<=16.1.3 | 16.1.4 |
F5 BIG-IP Access Policy Manager | >=15.1.0<=15.1.9 | |
F5 BIG-IP Access Policy Manager | >=14.1.0<=14.1.5 | |
F5 BIG-IP Access Policy Manager | >=13.1.0<=13.1.5 | |
F5 BIG-IP and BIG-IQ Centralized Management | >=17.0.0<=17.1.0 | |
F5 BIG-IP and BIG-IQ Centralized Management | >=16.1.0<=16.1.4 | |
F5 BIG-IP and BIG-IQ Centralized Management | >=15.1.0<=15.1.9 | |
F5 BIG-IP and BIG-IQ Centralized Management | >=14.1.0<=14.1.5 | |
F5 BIG-IP and BIG-IQ Centralized Management | >=13.1.0<=13.1.5 | |
F5 BIG-IP Service Proxy for Kubernetes | =1.6.0 | |
F5 BIG-IP and BIG-IQ Centralized Management | >=8.0.0<=8.4.0 | |
F5 BIG-IP and BIG-IQ Centralized Management | =7.1.0 | |
F5 BIG-IP and BIG-IQ Centralized Management | >=8.0.0<=8.3.0 | |
F5 F5OS | >=1.3.0<=1.3.1 | |
F5 F5OS | >=1.5.0<=1.5.1>=1.3.0<=1.3.2 | |
F5 Traffix Systems Signaling Delivery Controller | =5.2.0=5.1.0 | 5.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2002-20001 has a moderate severity, as it allows remote attackers to perform resource-intensive calculations on the server.
To fix CVE-2002-20001, upgrade affected software versions to their patched releases, such as F5 BIG-IP to versions 17.1.0 or 16.1.4.
Affected products include F5 BIG-IP (APM), F5 BIG-IQ Centralized Management, and various versions of F5 OS products.
CVE-2002-20001 enables a D(HE)at or D(HE)ater attack, where attackers can exploit the Diffie-Hellman protocol to cause server-side resource strain.
To detect vulnerability to CVE-2002-20001, check if any affected F5 products are running vulnerable versions as specified in the vulnerability report.