Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hundreds of Cloud Services Potentially Vulnerable to Logjam Attacks: Skyhigh

The recently disclosed Transport Layer Security (TLS) vulnerability dubbed Logjam affects numerous cloud services, cloud security company Skyhigh Networks reported on Wednesday.

The recently disclosed Transport Layer Security (TLS) vulnerability dubbed Logjam affects numerous cloud services, cloud security company Skyhigh Networks reported on Wednesday.

The Logjam vulnerability, which is similar to the FREAK bug, is caused due to the way the Diffie-Hellman (DHE) key exchange has been deployed. The flaw can be exploited by a man-in-the-middle (MitM) attacker to downgrade TLS connections to weak, export-grade crypto, and gain access to the data passing through the connection.

Logjam (CVE-2015-4000) affects all servers that support 512-bit export-grade cryptography and all modern web browsers, for which patches are being released. The vulnerability initially affected over 8 percent of the top 1 million HTTPS websites, and more than 3 percent of the browser trusted sites.

Because millions of HTTPS, SSH, and VPN servers use the same prime numbers for Diffie-Hellman key exchange, it’s possible to downgrade connections to 80% of the servers supporting export-grade DHE ciphers by breaking the most common 512-bit prime, researchers noted.

Experts believe an academic team can break a 768-bit prime, while a state-sponsored actor has the resources to break even a 1024-bit prime. In fact, it’s possible that the NSA has already used this technique to attack VPN servers.

“Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers,” researchers noted.

Skyhigh’s Service Intelligence Team, which says it’s capable of monitoring the impact of Logjam across thousands of cloud providers, revealed that 575 cloud services were potentially vulnerable to attacks six hours after the issue was disclosed.

The company says an average enterprise uses 923 cloud services, which means that an organization is likely to use one or more vulnerable services. According to Skyhigh, 99 percent of its over 400 customers are using at least one potentially vulnerable service, the average being 71 vulnerable services.

Advertisement. Scroll to continue reading.

“LogJam is a cautionary tale for our lawmakers and leaders who are under pressure by government groups to weaken encryption. As stated in this letter to Pres. Obama, diluting the strength of encryption for one group creates a vulnerability that can be exploited by any group. Human rights, privacy and the resilience of our economy will be the casualties if back doors are created in encryption solutions,” Bob West, CipherCloud Chief Trust Officer, told SecurityWeek via email.

“LogJam is the latest significant flaw that undermines the security of the Internet. It’s disheartening to see yet another widespread vulnerability that impacts such a large group. I am, however, encouraged that the disclosure of these flaws is happening faster. This allows organizations to discover what systems are impacted and apply fixes at a faster pace,” West added.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, says he is not surprised by the existence of Logjam.

“Weakened encryption protocols like this one with Diffie-Hellman are a disaster waiting to happen as cyber criminals will prey on these vulnerabilities and spy on encrypted connections used by thousands of HTTPS sites and email servers,” said Bocek. “Heartbleed, LogJam, FREAK, Superfish and so many other examples reinforce that there’s too much blind trust when it comes to SSL/TLS, certificates and trust. And I have no doubt that we’ll continue to find many more protocol, crypto, and certificate vulnerabilities out there lurking.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.