A new potentially high-impact vulnerability called LogJam has been revealed by researchers, which has similarities to the FREAK (CVE-2015-0204) vulnerability disclosed a few months ago, whereby a man-in-the-middle attack can be implemented to weaken the encryption between client and server.
Like FREAK, the LogJam vulnerability takes advantage of legacy encryption standards imposed in the 90s by the U.S. government and tricks servers into using weaker 512-bit keys, which can be decrypted easily.
The vulnerability affects any server supporting DHE_EXPORT ciphers and all modern browsers.
Microsoft’s Internet Explorer was patched for this vulnerability last week and patches for Firefox, Chrome and Safari patches should be available soon.
Impact & Scope
This vulnerability is a flaw in the SSL protocol and has been present for more than 20 years, affecting HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS, so the vulnerability is very widespread.
However, to take advantage of this vulnerability, an attacker needs to be on the same network as the victim, such as on the same Wi-Fi network, so there is no indication of any remote exploit capability related to this vulnerability at this time.
System administrators should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. The researchers who identified the vulnerability have provided a detailed guide “Guide to Deploying Diffie-Hellman for TLS,” as well as more technical details of the vulnerability on their website.
Detection of Weak Ciphers with Tripwire
Tripwire IP360 reports the presence of LogJam affected ciphers as well as other ciphers that do not provide adequate security:
|V6174||SSL Server Supports Weak Encryption for SSLv3|
|V79208||SSL Server Supports Weak Encryption for SSLv2|
|V79210||SSL Server Supports Weak Encryption for TLSv1|
|V81883||SSL Server Supports Weak Encryption for TLSv1.1|
|V81884||SSL Server Supports Weak Encryption for TLSv1.2|
Additionally, IP360 provides the following detection for CVE-2015-0204: V204109, V204490, V204572, V204835, V204989, V205161, V205168, V205439, V205440, V206229, V206758, V207391.
Updates on this vulnerability, as we learn of them, can be found here: https://www.tripwire.com/vert/vert-alert/logjam/