The Logjam vulnerability has been found to affect most common communication encryptions services like including Transport Layer Security (TLS), IPSec, and Secure Shell (SSH). It helps a man-in-the-middle attacker to downgrade the secure connection to 512-bit export-grade cryptograph, which can be used to view and edit supposedly ‘securely encrypted’ data.
The key to cryptographic security is advanced encryption that is difficult to crack with common computing resources. However, Logjam vulnerability allows an attacker to weaken the encryption complexity, consequently decrypting data easily without the user’s knowledge.
During the negotiation process, the attacker manipulates session key and forces export-grade Diffie-Hellman key. It uses 512-bit keys, which are comparatively easier to break. Experts have estimated that roughly 1 million domains with servers supporting DHE_EXPORT cipher are at risk of such an attack.
Exploitation Risk: Connections over vulnerable TLS protocols can be breached.
For individual users, Indusface recommends browser update. All major browsers have already released or are in the process of releasing patches for the vulnerability.
Website owners should disable export support for export-grade cipher suites. We had earlier recommended for the FREAK vulnerability earlier in March and our experts recommend it for dealing with Logjam vulnerability too. Key exchanges over 2048-bit strength Diffie-Hellman group will also ensure communication security.
Make sure to disable support for export-grade cipher suites. This will help to address FREAK as well as Logjam. Administrators are also advised to use a unique 2048-bit strength Diffie-Hellman group for key exchange.
Administrators can also follow these steps to test their servers for Logjam risks.
Refer to any Indusface Web VA report and search for “SSL Cipher Suites Supported” vulnerability. You will see some similar output for SSL ciphers as illustrated in the following points.
SSL Version : TLSv1
Low Strength Ciphers (< 56-bit key)
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Look for ciphers that support weak Diffie Helman key exchanges, (Line 5: “Kx=DH(512)” or “EXP-EDH” as illustrated here) and to filter on.
Our existing customers will get updates on vulnerability. The managed security team has already updated Indusface Web application scanning to help detect and resolve the issues at the earliest. You can contact us at any time for unresolved issues, questions, or further assistance.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.