Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS

Published: 2015-05-20
Last Updated: 2015-05-20 19:03:17 UTC
by Brad Duncan (Version: 1)
11 comment(s)

There's a new vulnerability in town...   "The new bug, dubbed LogJam, is a cousin of Freak. But it’s in the basic design of TLS itself, meaning all Web browsers, and some email servers, are vulnerable." [1]  According to the article, "Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites."

Logjam attack can allow an attacker "to significantly weaken the encrypted connection between a user and a Web or email server..." [2]

From: https://weakdh.org/

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed...

We're starting to see news coverage from other outlets, and we're sure more analysis will emerge.  However, at this time your best source for more information on this bug is at weakdh.org.

For now, ensure you have the most recent version of your browser installed, and check for updates frequently.  If you’re a system administrator, please review the Guide to Deploying Diffie-Hellman for TLS at https://weakdh.org/sysadmin.html

--
Brad Duncan
ISC Handler and Security Researcher at Rackspace

References:

[1] http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
[2] http://www.pcworld.com/article/2924532/new-encryption-flaw-logjam-puts-web-surfers-at-risk.html

11 comment(s)

Comments

Apparently, people that patched their software to fix FREAK won't be vulnerable to Logjam. The big issue is people setting up servers using default configurations and forgetting about them. The articles seem to focus more on email servers, because Johns Hopkins Professor Matthew D. Green, mentions email servers in his quotes.

But the whole "using default configurations for servers and forgetting about them" is definitely not limited to email servers.
Focus seems to be on mail and VPN servers.

Any idea how I can check a server Diffie-Hellman key size?
The testing tool at https://weakdh.org/sysadmin.html is for web servers. We want to check our mail and VPN servers.
Haven't been able to find any testing tools for anything other than web servers yet... We'll get something posted in the comments if we see anything.
I would bet that the SSLLabs tool will be updated for the Logjam Vulnerability, and probably see someone write a NASL script for Nmap to scan for this vulnerability, which might help. I would keep an eye out on pastebin and exploitdb, and other sites for working exploit code for this vulnerability, because its only going to be a matter of time before the scans of vulnerable endpoints start.
To scan for EXPORT ciphers, you can use the commands below. The command will enumerate all accepted ciphers on the port(s) you indicate. It will then grep for EXPORT, which will display any vulnerable devices.

nmap --script ssl-enum-ciphers -p <port> <ip-address> | grep EXPORT
nmap --script ssl-enum-ciphers -p <port> -iL <filename> | grep EXPORT
Thanks everyone for the suggestions.

By now, everyone should have disable EXPORT ciphers due to FREAK.
I am more concerned with non EXPORT DH; how do I detect that it is 1024 or 2048?

For example, Microsoft added DHE_AES-GCM cipher support (https://support.microsoft.com/en-us/kb/2929781/) last year.
We decided not to enable it as they were 1024-bit DH. Seems that Windows SCHANNEL and even Java do not handle DH more than 1024 bit.


EDIT : found the answer at https://openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

To check YOURMAILSERVER IMAPS port at 993.
openssl s_client -connect YOURMAILSERVER:993 -cipher "EDH" | grep "Server Temp Key"


To check SMTP STARTTLS
openssl s_client -starttls smtp -connect YOURMAILSERVER:25 -cipher "EDH" | grep "Server Temp Key"


"Server Temp Key: DH, 2048 bits"
If using 1024 or 2048 DH, admins should generate unique 2048-bit DH.

Take note Apache instructions on https://weakdh.org/sysadmin.html only works on httpd 2.4.8 and later, and OpenSSL 1.0.2 or later.
The best option is to disable DH and use ECDHE.
Inofficial patch for Apache 2.2.29:
https://bitbucket.org/snippets/wneessen/grb8
Replaces 512 and 1024 bit DHE with 2048 and 3072.
Any news on how this affects IPsec VPN's? Many vendors do not allow you to generate unique 2048-bit DH For IKE. You must select from the preset groups.
Will take a while before vendors allow us to generate unique 2048-bit blocks.

Just realized that SSH is also affected. Currently no instructions at https://weakdh.org/sysadmin.html
Seems that we need to modify KexAlgorithms and generate new moduli.
Wonderful number : CVE-2015-4000

EDIT : contacted WeakDH team and they have added SSH instructions.

Diary Archives