Logjam: TLS vulnerabilities (CVE-2015-4000)

Red Hat Product Security has been made aware of various issues in TLS connections using the Diffie-Hellman (DH) key exchange protocol.

Background Information

TLS connections using the Diffie-Hellman key exchange protocol were found to be vulnerable to an attack, in which a man-in-the-middle attacker could downgrade vulnerable TLS connections to 512-bit export-grade cryptography. The attack affects any server that supports DHE_EXPORT ciphers. This attack can be conduted by pre-computation of the 512-bit primes given in two popular sets of weak Diffie-Hellman parameters, namely Apache's httpd versions 2.1.5 to 2.4.7, and all versions of OpenSSL.

The Logjam research paper discusses the following issues related to weak DH keys:

  1. The use of DHE_EXPORT cipher suites in the TLS protocol, or DHE keys with export-grade cipher strength: these keys are 512 bits in size and given enough computing power and time, they can be broken. This is especially a problem with perfect-forward secrecy because an attacker could record traffic and later decrypt it.

  2. The use of pre-computed primes that are provided with certain widely-used packages, such as certain versions of Apache httpd and sshd: this weakness allows an attacker to pre-compute such primes once, and use them to decrypt any traffic that uses those primes to establish a TLS connection.

  3. A flaw in the TLS protocol, which can lead to a downgrade from DHE to DHE_EXPORT: this issue has been assigned CVE-2015-4000.

Impact

The following attack scenarios are possible using the issues noted above:

  1. Offline decryption of weak DHE connections
    This attack requires that the server defaults to using a Diffie-Hellman key exchange with 512-bit parameters. This allows a passive network adversary who is able to record the communication between a client and a server to then decrypt this communication.

  2. DHE_EXPORT downgrade and offline decryption of the TLS False Start extension
    This attack requires that a server supports DHE_EXPORT cipher suites or uses 512-bit parameters in non-export DHE ciphers. The client must be using the TLS False Start extension. Under these circumstances, an attacker could record the communication between a client and a server and then decrypt that communication.

  3. DHE_EXPORT downgrade and man-in-the-middle server impersonation
    This is a similar attack to the previous attack, but does not require the TLS False Start extension to be enabled. Instead, the attacker has to rely on the client to wait a significant amount of time for the handshake to complete. This is because the attacker must compute the connection key during the handshake process, computing of which takes several minutes.

Resolution

SSL/TLS Servers

In the MITM attack, the attacker tries to connect to the server using DHE_EXPORT cipher suites on behalf of the client. This is achieved by a flaw in the TLS protocol in the way DHE and DHE_EXPORT cipher suites are composed. Using this protocol flaw, an active MITM attack can be conducted provided the server supports DHE_EXPORT cipher suites.

This issue does not affect the current versions of openssl packages as shipped with Red Hat Enterprise Linux 6 and 7 as they do not include DHE_EXPORT cipher suites or any other export-grade cipher suite in its DEFAULT cipher list. (Applications that use the DEFAULT cipher preference will not use export-grade cipher suites. However, application-specific configuration may re-enable the use of export ciphers.) Please note this is only the case when openssl is used by a network server. For information on client issues please see below.

The openssl packages in Red Hat Enterprise Linux 7 excluded export-grade cipher suites from the DEFAULT when used as a server since their initial release. In Red Hat Enterprise Linux 6, the change was made via the RHBA-2014:1525 advisory released as part of Red Hat Enterprise Linux 6.6.

Red Hat Enterprise Linux 5 does support the export-grade cipher suite in its default cipher list. Red Hat does not plan to change the default cipher list in Red Hat Enterprise Linux 5 because this CVE is rated as Moderate Impact. For more information on which Security Advisories are addressed in Production Phase 3, please visit the Red Hat Enterprise Linux Life Cycle page.

SSL/TLS Clients

Since clients do not control the cipher suites controlled by the SSL/TLS server, the only defense is to reject small primes in the DHE handshake. Requiring larger primes can prevent the above mentioned downgrade attacks.

OpenSSL upstream addresses the remaining two issues, by increasing the minimum size of DH parameters which a client can accept to 768 bits. This way even if a MITM attacker downgrades the connection, the client will reject if less than 768 bits are used, which is deemed to be easily breakable.

Currently, all versions of NSS packages as shipped in Red Hat Enterprise Linux accept 512-bit DHE parameters. The following upstream bug and the related commit claim to fix this issue and raise the limit to 1023 bits:

This change is under investigation by Red Hat Product Security and may be backported to relevant NSS packages in Red Hat Enterprise Linux.

Openswan/Libreswan

The Logjam downgrade attack against TLS does not apply to IKE in Openswan and Libreswan. The pluto daemon provided by the openswan and libreswan packages provides the IKEv1 and IKEv2 protocols to establish IPsec VPN tunnels whereas the Logjam attack targets TLS. Openswan and Libreswan also both have default DH groups above MODP1024, and do not support MODP768 and below.

JBoss products

For information on how to mitigate the Logjam vulnerability in affected JBoss products, refer to Logjam: TLS vulnerabilities (CVE-2015-4000) for JBoss products

Comments