CVE-2015-4000 LOGJAM TLS DH vulnerability

Created:

2016-11-16 13:03:45 UTC

Modified:

2017-03-13 22:17:46 UTC

2

Was this article helpful?


Have more questions?

Submit a request

CVE-2015-4000 LOGJAM TLS DH vulnerability

General Information

A CVE-2015-4000 vulnerability in the TLS protocol implementation, so called 'Logjam'. Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS.

There are two problems which people mean by "Logjam":

1. Logjam attack against the TLS protocol.
The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORTciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

2. Weak Diffie-Hellman. (Threats from state-level adversaries.)

Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.

whitepaper  is available that describes this vulnerability.

Resolution for Linux

Operating system (OS) vendors released the following security advisories to address this vulnerability:

Debian

RedHat/CentOS

Ubuntu

For Plesk 12.5 and Onyx:

Since Plesk 12.5 there is a utility plesk sbin sslmng that allows disabling TLS compression and sets the DH parameter's size to 2048.

To do it for all services, execute the following command:

# plesk sbin sslmng -vvv --strong-dh --dhparams-size=2048

To change the setting for a particular service, option --services=service_name should be added.

 

Article Tune Plesk to Meet PCI DSS on Linux describes the ways of disabling weak SSL/TLS ciphers and protocols for web and e-mail servers operated by Plesk, and some limitations.

For Plesk 12.0.18 and earlier

We prepared a patch file in accordance with the recommendations from Guide to Deploying Diffie-Hellman for TLS .

Apply the script on a test environment first. Contact Plesk Technical Support in case of any issues.

The script will patch properly if you have OpenSSL version 1.0.1 and higher, because earlier versions do not have TLS v1.1 and TLS v1.2 support.

Usage:

# wget http://kb.plesk.com/Attachments/kcs-51784/SSLfix.zip
# unzip SSLfix.zip
# chmod +x SSLfix.sh

./SSLfix.sh [v3|dh] [service name like apache, nginx]

Without arguments, it will patch all services' configuration for SSLv3 (Poodle) and weak DH (Logjam).

NOTE: The script also protects from CVE-2014-3566: POODLE attack.

Resolution for Windows

  1. Open the Group Policy Object Editor (i.e., run gpedit.msc in the command prompt).
  2. Expand Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  3. Under SSL Configuration Settings, open the SSL Cipher Suite Order setting.
  4. Set up a strong cipher suite order. See this list of Microsoft's supported ciphers and Mozilla's TLS configuration instructions.
Have more questions? Submit a request
Please sign in to leave a comment.