All You Need To Know About Logjam Vulnerability
May 27, 2015
What is Logjam?
The Logjam vulnerability has been found to affect most common communication encryptions services like including Transport Layer Security (TLS), IPSec, and Secure Shell (SSH). It helps a man-in-the-middle attacker to downgrade the secure connection to a 512-bit export-grade cryptography, which can be used to view and edit supposedly ‘securely encrypted’ data.
What can hackers do with it?
The key to cryptographic security is advanced encryption that is difficult to crack with common computing resources. However, Logjam vulnerability allows an attacker to weaken the encryption complexity, consequently decrypting data easily without the user’s knowledge.
During the negotiation process, the attacker manipulates the session key and forces the export-grade Diffie-Hellman key. It uses 512-bit keys, which are comparatively easier to break. Experts have estimated that roughly 1 million domains with servers supporting DHE_EXPORT cipher are at risk of such an attack.
Exploitation Risk: Connections over vulnerable TLS protocols can be breached.
How to detect and protect against Logjam?
For individual users, Indusface recommends browser update. All major browsers have already released or are in the process of releasing patches for the vulnerability.
Website owners should disable export support for export-grade cipher suites. We had earlier recommended for the FREAK vulnerability earlier in March and our experts recommend it for dealing with Logjam vulnerability too. Key exchanges over the 2048-bit strength Diffie-Hellman group will also ensure communication security.
Make sure to disable support for export-grade cipher suites. This will help to address FREAK as well as Logjam. Administrators are also advised to use a unique 2048-bit strength Diffie-Hellman group for key exchange.
- Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)
- Generate a Strong, Unique Diffie Hellman Group
Manual Testing
Administrators can also follow these steps to test their servers for Logjam risks.
Refer to any Indusface Web VA report and search for “SSL Cipher Suites Supported” vulnerability. You will see some similar output for SSL ciphers as illustrated in the following points.
SSL Version : TLSv1
Low Strength Ciphers (< 56-bit key)
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Look for ciphers that support weak Diffie Helman key exchanges, (Line 5: “Kx=DH(512)” or “EXP-EDH” as illustrated here) and to filter on.
Indusface Web Update
Our existing customers will get updates on vulnerability. The managed security team has already updated Indusface Web application scanning to help detect and resolve the issues at the earliest. You can contact us at any time for unresolved issues, questions, or further assistance.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
