Security Vulnerability : Logjam aka CVE-2015-4000
This document (7016529) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
Situation
Recently a new vulnerability within TLS implementations was published, called Logjam (CVE-2015-4000).
The researcher website and paper can be found on https://weakdh.org/
Logjam actually consists of multiple issues related to each other.
The attacks target the Diffie-Hellman key exchange, which is used to implement Perfect Forward Secrecy (every TLS connections gets different keys, so a leaked key can not be used to decrypt previous or future
communications)
1. Downgrading DH parameter curves to export strength
The core attack is a downgrade of the DH parameters used during the initial TLS setup to an export strength of 512 bits. The researchers showed that they break the DH key exchange with a 512bit parameter set in near realtime.
This has to be filtered out by the SSL client. Many of them still allow such downgrades and would work.
Our plan:
In the near future SSL client applications and libraries will be upgraded to reject too-short parameter sets outright. This covers openssl and mozilla-nss and potentially others.
2. Using more than one DH parameter set
A secondary issue found by the researchers is that a huge part of internet services only use specific and static parameters. They also think that breaking a 1024 bit parameter is in reach of organizations with sufficient knowledge and compute power. A large part of the internet uses the same 1024 bit DH parameter set, so breaking one of these would break a lot of services at the same time.
The researcher website and paper can be found on https://weakdh.org/
Logjam actually consists of multiple issues related to each other.
The attacks target the Diffie-Hellman key exchange, which is used to implement Perfect Forward Secrecy (every TLS connections gets different keys, so a leaked key can not be used to decrypt previous or future
communications)
1. Downgrading DH parameter curves to export strength
The core attack is a downgrade of the DH parameters used during the initial TLS setup to an export strength of 512 bits. The researchers showed that they break the DH key exchange with a 512bit parameter set in near realtime.
This has to be filtered out by the SSL client. Many of them still allow such downgrades and would work.
Our plan:
In the near future SSL client applications and libraries will be upgraded to reject too-short parameter sets outright. This covers openssl and mozilla-nss and potentially others.
2. Using more than one DH parameter set
A secondary issue found by the researchers is that a huge part of internet services only use specific and static parameters. They also think that breaking a 1024 bit parameter is in reach of organizations with sufficient knowledge and compute power. A large part of the internet uses the same 1024 bit DH parameter set, so breaking one of these would break a lot of services at the same time.
Resolution
One way to solve this is to deploy or allow deployment of different and longer DH parameters in SSL services specific to the system to avoid reusing the known upstream sets.
Some tools:
Generate a new dhparam set with e.g.:
# openssl dhparam -out dhparams.pem 2048
How to add this to our services:
apache2:
openvpn:
strongswan:
OpenSSH:
Some tools:
Generate a new dhparam set with e.g.:
# openssl dhparam -out dhparams.pem 2048
How to add this to our services:
apache2:
SLE11:
For mod_ssl changing the DH parameters is currently not implemented, we will work on an update.
A workaround is to use mod_nss (from apache2-mod_nss), which is not affected (it does not support Diffie-Hellman, only Elliptic Curve Diffie-Hellman).
SLE12:
To supply DH Parameters, these can be appended to the first SSL Certificate, e.g. with
# cat dhparams.pem >>/etc/apache2/ssl.crt/server.crt
where server.crt is the first "SSLCertificateFile" listed.
openvpn:
Has already allowed specifying the DH parameter with the "dh" keyword, if you have used the include dh1024.pem we recommend to replace this with a fresh generated one.
strongswan:
Uses standard defined DH parameters which cannot be changed.
OpenSSH:
SLE11 and SLE12 already use the Elliptic Curve Diffie-Hellman (ECDH). By default key exchange is not affected by the Logjam problem.
In addition it is possible to change the OpenSSH configuration to increase the minimum Diffie-Hellman group size.
Cause
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016529
- Creation Date: 21-May-2015
- Modified Date:25-Sep-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
