Another TLS Vulnerability – Logjam Found Last Week (May 28, 2015)


Another major vulnerability Logjam in TLS was released last week. Logjam actually involve two related but separated vulnerabilities, one is man-in-the-middle security suite downgrade, which is similar to FREAK vulnerability in TLS released in March 2015; the other is exploiting EXPORT cryptography or small DH parameters encrypted traffic by force. An attacker can exploit the vulnerabilities and eavesdrop all of the encrypted traffic without target’s knowledge.

To accomplish an attack by exploiting the first vulnerability, a man-in-the-middle attacker needs to intercepts the target’s traffic to the server with the following steps:

  1. The client hello info with accepted cipher suites should be replaced with only DHE_EXPORT ones. A sample of DHE_EXPORT client hello is showed below:
  2. The server accepted and pick a DHE_EXPORT cipher suite and send it back to client.
  3. The attacker should be able to decrypt the weak DHE_EXPORT encryption, then recover the keys with further attacks without target’s knowledge.

To decide if the server is vulnerable, OpenSSL suggests using the following commands to verify the length of the key and the support of Export cipher suites:

  • $ openssl s_client -connect [yourwebsite].com:443 -cipher “EDH”
  • $ openssl s_client -connect -cipher “ECDHE”
  • $ openssl s_client -connect www.example:com:443 -cipher “EXP”

A typical reply for DH configuration test is listed below. It comes with 1024 bit server public key and DHE RSA encryption:

Dell SonicWALL threat team has created the following IPS signatures to protect their customers:

  • IPS:6366 “Client Hello with EXPORT Cipher Suites 1”
  • IPS:6412 “Client Hello with EXPORT Cipher Suites 2”
  • IPS:6428 “Server Hello with EXPORT Cipher Suite”
    • Security News
      The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.