Security Experts:

Logjam TLS Vulnerability Exposes Websites, Mail Servers: Researchers

Researchers have analyzed the Diffie-Hellman (DHE) key exchange and they’ve come across a new vulnerability that puts a large number of online services at risk.

The vulnerability, dubbed “Logjam,” affects the Transport Layer Security (TLS) protocol and it can be exploited through man-in-the-middle (MitM) attacks to downgrade connections to 512-bit export-grade cryptography. An attacker can leverage the flaw to read and alter encrypted data.

According to experts, the attack is similar to FREAK since it’s related to support for export-grade crypto introduced in 1990 at the request of the US government. The main differences are that Logjam attacks are possible due to a TLS vulnerability rather than an implementation flaw, and Logjam targets the Diffie-Hellman cryptographic algorithm rather than the RSA algorithm.

Researchers noted that websites, mail servers (SMTP, POP3S, IMAP), and other services that rely on TLS and support DHE_EXPORT ciphers are vulnerable. Expert have determined that 8.4 percent of the Alexa top one million HTTPS domains, and 3.4 percent of the browser trusted websites are at risk.

The problem is that millions of HTTPS, Secure Shell (SSH), and virtual private network (VPN) servers use the same prime numbers for Diffie-Hellman key exchange.

“Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections,” researchers noted on a website detailing Logjam.

The experts carried out a week-long precomputation for a 512-bit Diffie-Hellman group used by 82 percent of the vulnerable servers. It’s believed that an academic team can break a 768-bit prime, while nation-state actors can even break a 1024-bit prime, which would allow them to conduct passive eavesdropping on connections. In fact, researchers believe the NSA might have already used this technique to target VPNs.

“Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break,” researchers said.

Proof-of-concept (PoC) attacks for Logjam show how an attacker can eavesdrop on a connection to the tips subdomain on the FBI’s website, how a MitM attacker can intercept a connection to Network Solutions’ webmail interface and steal a user’s credentials, and how a malicious actor could trick a user into downloading and executing arbitrary code.

Experts advise web and mail server administrators to disable support for export-grade cipher suites and ensure that a unique 2048-bit Diffie-Hellman group is generated. Developers and system administrators are advised to use up-to-date TLS libraries and reject Diffie-Hellman groups smaller than 1024-bit.

Google, Mozilla and Microsoft have already taken steps to mitigate Logjam attacks against Chrome, Firefox, and Internet Explorer. Apple is expected to do the same for Safari. Users are advised to keep their web browsers updated.

Additional details on the Logjam attack are available in a paper published by computer scientists at Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft, Johns Hopkins University, University of Michigan, and the University of Pennsylvania.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.