Security Experts:

Connect with us

Hi, what are you looking for?



Hundreds of Cloud Services Potentially Vulnerable to Logjam Attacks: Skyhigh

The recently disclosed Transport Layer Security (TLS) vulnerability dubbed Logjam affects numerous cloud services, cloud security company Skyhigh Networks reported on Wednesday.

The recently disclosed Transport Layer Security (TLS) vulnerability dubbed Logjam affects numerous cloud services, cloud security company Skyhigh Networks reported on Wednesday.

The Logjam vulnerability, which is similar to the FREAK bug, is caused due to the way the Diffie-Hellman (DHE) key exchange has been deployed. The flaw can be exploited by a man-in-the-middle (MitM) attacker to downgrade TLS connections to weak, export-grade crypto, and gain access to the data passing through the connection.

Logjam (CVE-2015-4000) affects all servers that support 512-bit export-grade cryptography and all modern web browsers, for which patches are being released. The vulnerability initially affected over 8 percent of the top 1 million HTTPS websites, and more than 3 percent of the browser trusted sites.

Because millions of HTTPS, SSH, and VPN servers use the same prime numbers for Diffie-Hellman key exchange, it’s possible to downgrade connections to 80% of the servers supporting export-grade DHE ciphers by breaking the most common 512-bit prime, researchers noted.

Experts believe an academic team can break a 768-bit prime, while a state-sponsored actor has the resources to break even a 1024-bit prime. In fact, it’s possible that the NSA has already used this technique to attack VPN servers.

“Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers,” researchers noted.

Skyhigh’s Service Intelligence Team, which says it’s capable of monitoring the impact of Logjam across thousands of cloud providers, revealed that 575 cloud services were potentially vulnerable to attacks six hours after the issue was disclosed.

The company says an average enterprise uses 923 cloud services, which means that an organization is likely to use one or more vulnerable services. According to Skyhigh, 99 percent of its over 400 customers are using at least one potentially vulnerable service, the average being 71 vulnerable services.

“LogJam is a cautionary tale for our lawmakers and leaders who are under pressure by government groups to weaken encryption. As stated in this letter to Pres. Obama, diluting the strength of encryption for one group creates a vulnerability that can be exploited by any group. Human rights, privacy and the resilience of our economy will be the casualties if back doors are created in encryption solutions,” Bob West, CipherCloud Chief Trust Officer, told SecurityWeek via email.

“LogJam is the latest significant flaw that undermines the security of the Internet. It’s disheartening to see yet another widespread vulnerability that impacts such a large group. I am, however, encouraged that the disclosure of these flaws is happening faster. This allows organizations to discover what systems are impacted and apply fixes at a faster pace,” West added.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, says he is not surprised by the existence of Logjam.

“Weakened encryption protocols like this one with Diffie-Hellman are a disaster waiting to happen as cyber criminals will prey on these vulnerabilities and spy on encrypted connections used by thousands of HTTPS sites and email servers,” said Bocek. “Heartbleed, LogJam, FREAK, Superfish and so many other examples reinforce that there’s too much blind trust when it comes to SSL/TLS, certificates and trust. And I have no doubt that we’ll continue to find many more protocol, crypto, and certificate vulnerabilities out there lurking.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet