Hundreds of Cloud Services Potentially Vulnerable to Logjam Attacks: Skyhigh

The recently disclosed Transport Layer Security (TLS) vulnerability dubbed Logjam affects numerous cloud services, cloud security company Skyhigh Networks reported on Wednesday.

The Logjam vulnerability, which is similar to the FREAK bug, is caused due to the way the Diffie-Hellman (DHE) key exchange has been deployed. The flaw can be exploited by a man-in-the-middle (MitM) attacker to downgrade TLS connections to weak, export-grade crypto, and gain access to the data passing through the connection.

Logjam (CVE-2015-4000) affects all servers that support 512-bit export-grade cryptography and all modern web browsers, for which patches are being released. The vulnerability initially affected over 8 percent of the top 1 million HTTPS websites, and more than 3 percent of the browser trusted sites.

Because millions of HTTPS, SSH, and VPN servers use the same prime numbers for Diffie-Hellman key exchange, it’s possible to downgrade connections to 80% of the servers supporting export-grade DHE ciphers by breaking the most common 512-bit prime, researchers noted.

Experts believe an academic team can break a 768-bit prime, while a state-sponsored actor has the resources to break even a 1024-bit prime. In fact, it’s possible that the NSA has already used this technique to attack VPN servers.

“Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers,” researchers noted.

Skyhigh’s Service Intelligence Team, which says it’s capable of monitoring the impact of Logjam across thousands of cloud providers, revealed that 575 cloud services were potentially vulnerable to attacks six hours after the issue was disclosed.

The company says an average enterprise uses 923 cloud services, which means that an organization is likely to use one or more vulnerable services. According to Skyhigh, 99 percent of its over 400 customers are using at least one potentially vulnerable service, the average being 71 vulnerable services.

“LogJam is a cautionary tale for our lawmakers and leaders who are under pressure by government groups to weaken encryption. As stated in this letter to Pres. Obama, diluting the strength of encryption for one group creates a vulnerability that can be exploited by any group. Human rights, privacy and the resilience of our economy will be the casualties if back doors are created in encryption solutions,” Bob West, CipherCloud Chief Trust Officer, told SecurityWeek via email.

“LogJam is the latest significant flaw that undermines the security of the Internet. It’s disheartening to see yet another widespread vulnerability that impacts such a large group. I am, however, encouraged that the disclosure of these flaws is happening faster. This allows organizations to discover what systems are impacted and apply fixes at a faster pace,” West added.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, says he is not surprised by the existence of Logjam.

“Weakened encryption protocols like this one with Diffie-Hellman are a disaster waiting to happen as cyber criminals will prey on these vulnerabilities and spy on encrypted connections used by thousands of HTTPS sites and email servers,” said Bocek. “Heartbleed, LogJam, FREAK, Superfish and so many other examples reinforce that there’s too much blind trust when it comes to SSL/TLS, certificates and trust. And I have no doubt that we’ll continue to find many more protocol, crypto, and certificate vulnerabilities out there lurking.”