Executive Summary
- A major flaw was discovered with SSL and was named “Logjam”.
- The flaw affects a number of fundamental web protocols.
- 8.4% of the Top 1 Million domains were initially vulnerable.
- SK106147 – Check Point Response to Logjam Vulnerability.
DESCRIPTION
- The vulnerability affects an algorithm called the “Diffie-Hellman key exchange” which allows protocols such as HTTPS, SSH, IPsec, SMTPS to negotiate a shared key and create a secure connection.
- The attack allows a man-in-the-middle to downgrade security of connections to a lower level of encryption — 512 bit — which can be read and attacked with relative ease.
- This allows the attacker to read and modify any data passed over the connection. The attack resembles the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange.
- The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers.
CHECK POINT IPS PROTECTIONS
Check Point protects its customers from the Logjam vulnerability with the following IPS protections:
- OpenSSL TLS Export Cipher Suite Downgrade (CVE-2015-0204; CVE-2015-1637)
- This protection will drop TLS connections if the MITM attacker chooses EXPORT cipher suite when it was not requested by the victim in its supported cipher suite list. This protection is part of the recommended profile.
- SSL Export Cipher Suite (CVE-2015-0204; CVE-2015-1637)
- This protection will entirely drop the use of legacy EXPORT cipher suites. This protection is not part of the recommended profile.
- TLS and SSL Diffie-Hellman Key Downgrade Weakness
- This protection is currently being developed and will be released as part of the next IPS update in order to cover rare configurations in which the above protections do not suffice.
REFERENCES