Massive 'Logjam' Flaw DiscoveredReport: NSA Likely Exploited Flaw to Crack VPNs
Numerous websites, mail servers and other services - including virtual private networks as well as "all modern browsers" - that rely on Transport Layer Security have a 20-year-old flaw that could be exploited by an attacker "to read and modify any data passed over the connection."
See Also: 2016 State of Threat Intelligence Study
That warning was first sounded May 19 by a cross-national team of computer scientists, who have dubbed the related vulnerability "Logjam." After two months of behind-the-scenes effort, they have prepped related fixes for the vulnerability, which involves implementations of the Diffie-Hellman algorithm. But their fix, The Wall Street Journal reports, could soon make more than 20,000 websites unreachable.
"Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS," the researchers say via a dedicated Logjam attack website that they have created. "We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed."
The flaws were discovered by a team of computer scientists at Inria Nancy-Grand Est and Inria Paris-Rocquencourt in France, Microsoft Research, Johns Hopkins University, University of Michigan, and the University of Pennsylvania. They have released extensive technical details in a research paper titled Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice.
The researchers warn that based on their scans of the Internet, 8 percent of the world's 1 million most popular websites that use HTTPS - represented by a green padlock in browsers - are vulnerable to Logjam, as are 9 percent of POP-using email servers, and 8 percent of IMAP-using mail servers.
Resembles 'Freak' Flaw
The Logjam researchers say that the flaw resembles the SSL vulnerability known as Freak, which could be used by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher. The Freak flaw was present in Apple, Android and Microsoft browsers, and resulted from the way they implemented TLS (see 'Freak' Flaw Also Affects Windows).
Unlike Freak, however, Logjam involves a "flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange," the researchers note.
"Like Freak, the Logjam vulnerability takes advantage of legacy encryption standards imposed in the 90's by the U.S. government and tricks servers into using weaker 512-bit keys which can be decrypted easily," Ken Westin, a senior security analyst at security firm Tripwire, says in a blog post. "The vulnerability affects any server supporting DHE_EXPORT ciphers and all modern browsers."
How Nation States Eavesdrop?
The Logjam researchers warn that this flaw can be - and likely has been - exploited by "state-level adversaries," such as the U.S. National Security Agency, and that more than just 512-bit keys are at risk. "Millions of HTTPS, SSH and VPN servers all use the same prime numbers for Diffie-Hellman key exchange," they say. "Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve - the most efficient algorithm for breaking a Diffie-Hellman connection - is dependent only on this prime. After this first step, an attacker can quickly break individual connections."
Based on the researchers' tests, 80 percent of sites that now use the most common 512-bit prime for TLS can have their connections downgraded and intercepted. The researchers also believe that an "academic team" could break a 768-bit prime, and that a nation state could break a 1024-bit prime. They add that 18 percent of the world's most popular 1 million websites use the same 1024-bit prime, and thus would be most susceptible to "passive eavesdropping" attacks. Meanwhile, cracking the second most popular 1024-bit prime would allow for eavesdropping on 66 percent of the world's VPN servers and 26 percent of all SSH servers.
"A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break," the researchers say. "Moving to stronger key exchange methods should be a priority for the Internet community."
What to Do
In the short term, anyone who runs a Web or mail server "should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group," the researchers say, noting that they have published a Guide to Deploying Diffie-Hellman for TLS that includes step-by-step instructions. "If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange."
All systems administrators and developers should "make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit," the researchers add.
Patches Still Arriving
Browser makers have also been working to address Logjam. Patches for supported versions of Microsoft's Internet Explorer were reportedly released last week, but updates for Google Chrome - including Android Browser, Mozilla Firefox, and Apple Safari - do not yet appear to have been released, and may still take some time to arrive, penetration testing expert Dan Kaminsky, chief scientist of White Ops, says via Twitter.
@EllieAsksWhy it's an ugly one. We're gonna have to be a bit patient here.ï¿½ Dan Kaminsky (@dakami) May 20, 2015
Regardless, security experts recommend users keep an eye out for all related updates. "For now, ensure you have the most recent version of your browser installed, and check for updates frequently," Brad Duncan, Rackspace security researcher and SANS Institute Internet Storm Center handler, says in a blog post.
New But 'Old' Bug
Security researchers report that Logjam has existed in TLS for 20 years, making it yet another "old bug" to have been newly found. It follows the discovery in January of the GHOST flaw, which has existed since 2000 (see Serious 'GHOST' Flaw Puts Linux at Risk). In 2014, meanwhile, three other serious, old bugs were discovered: Heartbleed in OpenSSL, the POODLE SSL flaw, and the Bash command-line flaw known as Shellshock.
But even after related fixes get released, numerous businesses and consumers do not apply them. Indeed, about 4,000 of the world's 1 million most popular websites remain vulnerable to Heartbleed, researchers at the University of Michigan tell The Wall Street Journal, despite related fixes having been released more than a year ago.