Skip to content ↓ | Skip to navigation ↓

A new potentially high-impact vulnerability called LogJam has been revealed by researchers, which has similarities to the FREAK (CVE-2015-0204) vulnerability disclosed a few months ago, whereby a man-in-the-middle attack can be implemented to weaken the encryption between client and server.

Like FREAK, the LogJam vulnerability takes advantage of legacy encryption standards imposed in the 90s by the U.S. government and tricks servers into using weaker 512-bit keys, which can be decrypted easily.

The vulnerability affects any server supporting DHE_EXPORT ciphers and all modern browsers.

Microsoft’s Internet Explorer was patched for this vulnerability last week and patches for Firefox, Chrome and Safari patches should be available soon.

Impact & Scope

This vulnerability is a flaw in the SSL protocol and has been present for more than 20 years, affecting HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS, so the vulnerability is very widespread.

However, to take advantage of this vulnerability, an attacker needs to be on the same network as the victim, such as on the same Wi-Fi network, so there is no indication of any remote exploit capability related to this vulnerability at this time.

Remediation

System administrators should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. The researchers who identified the vulnerability have provided a detailed guide “Guide to Deploying Diffie-Hellman for TLS,” as well as more technical details of the vulnerability on their website.

Detection of Weak Ciphers with Tripwire

Tripwire IP360 reports the presence of LogJam affected ciphers as well as other ciphers that do not provide adequate security:

V6174 SSL Server Supports Weak Encryption for SSLv3
V79208 SSL Server Supports Weak Encryption for SSLv2
V79210 SSL Server Supports Weak Encryption for TLSv1
V81883 SSL Server Supports Weak Encryption for TLSv1.1
V81884 SSL Server Supports Weak Encryption for TLSv1.2

 

Additionally, IP360 provides the following detection for CVE-2015-0204: V204109, V204490, V204572, V204835, V204989, V205161, V205168, V205439, V205440, V206229, V206758, V207391.

Updates on this vulnerability, as we learn of them, can be found here: http://www.tripwire.com/vert/vert-alert/logjam/

Hacking Point of Sale
  • I visited the weakdh website earlier today, but somehow managed to overlook this part:

    "to take advantage of this vulnerability an attacker needs to be on the same network as the victim, such as on the same Wi-Fi network"

    It reminds me of Fire Sheep, but that was awhile ago, so I don't even recall the details, other than MITM attacks on WiFi, and of course, the endearing name with sheep.

  • Mark

    They don't have to be "on the same network" rather as long as they can redirect traffic to go through a system that they can conduct packet captuers against they can manipulate the traffic, in other words a Man in The Middle (MiTM) attack.

    Internet traffic redirection has been confirmed to have been done several times in the last few years so this vulnerability, although esoteric, can be done with the proper motivation and systems. Probably only state sponsored attacks are the concern here, but this too is not an impractical possibility.