Full write up: http://intothesymmetry.blogspot.ch/2016/01/openssl-key-recovery-attack-on-dh-small.html

DH small subgroups (CVE-2016-0701)

Severity: High

Historically OpenSSL usually only ever generated DH parameters based on “safe”
primes. More recently (in version 1.0.2) support was provided for generating
X9.42 style parameter files such as those required for RFC 5114 support. The
primes used in such files may not be “safe”. Where an application is using DH
configured with parameters based on primes that are not “safe” then an attacker
could use this fact to find a peer’s private DH exponent. This attack requires
that the attacker complete multiple handshakes in which the peer uses the same
private DH exponent. For example this could be used to discover a TLS server’s
private DH exponent if it’s reusing the private DH exponent or it’s using a
static DH ciphersuite.

OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.
It is not on by default. If the option is not set then the server reuses the
same private DH exponent for the life of the server process and would be
vulnerable to this attack. It is believed that many popular applications do set
this option and would therefore not be at risk.

OpenSSL before 1.0.2f will reuse the key if:

• • SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not
    set.
• • SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the
    parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is
    an undocumted feature and parameter files don’t contain the key.
• • Static DH ciphersuites are used. The key is part of the certificate and
    so it will always reuse it. This is only supported in 1.0.2.

It will not reuse the key for DHE ciphers suites if:

• • SSL_OP_SINGLE_DH_USE is set
• • SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the
    callback does not provide the key, only the parameters. The callback is
    almost always used like this.

Non-safe primes are generated by OpenSSL when using:

• • genpkey with the dh_rfc5114 option. This will write an X9.42 style file
    including the prime-order subgroup size “q”. This is supported since the 1.0.2
    version. Older versions can’t read files generated in this way.
• • dhparam with the -dsaparam option. This has always been documented as
    requiring the single use.

The fix for this issue adds an additional check where a “q” parameter is
available (as is the case in X9.42 based parameters). This detects the
only known attack, and is the only possible defense for static DH ciphersuites.
This could have some performance impact.

Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default
and cannot be disabled. This could have some performance impact.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2f

OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42
based parameters. It is possible to generate parameters using non “safe” primes,
but this option has always been documented as requiring single use and is not
the default or believed to be common. However, as a precaution, the
SSL_OP_SINGLE_DH_USE change has also been backported to 1.0.1r.

This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso (Adobe).
The fix was developed by Matt Caswell of the OpenSSL development team
(incorporating some work originally written by Stephen Henson of the OpenSSL