Maria Varmazis

Breaking down the Logjam (vulnerability)

Blog Post created by Maria Varmazis Employee on Jun 5, 2015

Originally posted May 22, 2015

What is it

Disclosed on May 19, 2015, the Logjam vulnerability (CVE-2015-4000) is a flaw in common TLS implementations that can be used to intercept secure communications. This TLS protocol vulnerability would allow an active man-in-the-middle (MITM) attacker to silently downgrade a TLS session to export-level Diffie-Hellman keys. The attacker could hijack this downgraded session by computing the weak encryption keys. This might sound familiar -- this flaw is similar to the FREAK attack found in March of this year, except Logjam targets the Diffie-Hellman exchange instead of the RSA exchange used in FREAK.

During a LogJam-based attack, users might think their connection to a given website is secure and may even see the usual browser-based assurances of a secure connection, but in reality their communication could be intercepted and modified.


How bad is this vulnerability?

In order for an attacker to take advantage of this flaw, they need to be have access to the network between the user's TLS client and server. That's a big mitigating factor here Ð because either you are sharing WiFi with the attacker (say at your friendly neighborhood coffee shop), or you are on a part of the internet that's controlled by a state-level actor. In other words: This is not the type of vulnerability that could be easily exploited by a rogue actor elsewhere on the internet, unless they are able to compromise another node in the network path, or modify the DNS records for the target TLS server.

So while the potential for data theft is certainly present, given the complexities and number of variables that must be in place for a successful attack, we don't see Logjam as a cause for panic.


How to mitigate

It's recommended that server administrators disable export-grade Diffie-Hellman ciphers, if they haven't already. We also recommend implementing relevant patches when reasonable in the context of other business needs.  Patches currently available include:

As of today, there is a CVE assigned for it: CVE-2015-4000; that said, comprehensively fixing this flaw could break a lot of software and websites in the process, and at the moment there's no universally agreed method on how to best address it.


Is there a check for this in Nexpose?

At the moment we do not have a check for Logjam available in Nexpose; however, it is currently in the works. We will update this blog post with more information when a check is available.