ag visuell - Fotolia
The Logjam vulnerability downgrades TLS encryption to the point where it can be broken. What are the chances of it affecting enterprises? Is there a way to check if our websites are at risk, and if so, how can we fix the issue?
The Logjam vulnerability (CVE-2015-4000) is yet another newly uncovered "old bug" that affects the Internet's secure communication protocols. A cross-national team of computer scientists found a flaw in the TLS protocol -- not an implementation vulnerability -- relating to the Diffie-Hellman key exchange method that allows Internet protocols to agree on a shared encryption key during the negotiation phase of a secure connection.
This vulnerability can be exploited by an attacker to read and manipulate information passing over a TLS connection that should be secure. The Logjam vulnerability is similar to the recently discovered FREAK flaw, as it allows an attacker to force Web servers and browsers to use weak encryption keys, which can easily be decrypted. To take advantage of Logjam, a hacker needs to launch a man-in-the-middle attack between a client and a server -- a public Wi-Fi at an airport or café for example. Note that attackers would need a network presence to carry out this attack on a corporate network.
The chances of an enterprise being affected in some way by Logjam are extremely high as the Diffie-Hellman key exchange algorithm is fundamental to many protocols, including HTTPS, SSH, IPsec and others that rely on TLS or support Diffie-Hellman key exchanges -- such as secure versions of POP3, IMAP and SMTP. Many VPN services will also be vulnerable due their use of TLS or IPsec. Skyhigh's Service Intelligence Team found 575 cloud services that were potentially vulnerable to Logjam-based attacks six hours after the issue was disclosed, and 99% of its 400-plus customers were using at least one potentially vulnerable service, with the average being 71 vulnerable services.
The Logjam vulnerability affects any server supporting DHE_EXPORT ciphers and all modern browsers, but thankfully systems that are patched against the FREAK flaw are also protected against Logjam. To check if enterprise systems are vulnerable, administrators can use the free Symantec SSL Toolbox.
As a precaution, administrators should make sure all TLS encryption libraries are up to date -- OpenSSL has added protection against the attack in version 1.0.2b and 1.0.1n -- and ensure users' browsers are set to auto update so they receive patches to fix this vulnerability as soon as they're released. Administrators are also advised to generate a unique 2048-bit strength Diffie-Hellman group for key exchange to prevent pre-computation by hackers looking to launch an attack. Those who use SSH should upgrade both server and client installations to the most recent version of OpenSSH, which prefers Elliptic Curve Diffie-Hellman key exchange. The researchers who discovered the Logjam vulnerability have a webpage offering further guidance on how to strengthen affected servers.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now via email. (All questions are anonymous.)
Learn more about enterprise TLS encryption
Dig Deeper on Disk and file encryption tools
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading