Knowledge Search


×
 

2015-05 Out of Cycle Security Bulletin: "Logjam" passive attack on sub-1024 DH groups, and active downgrade attack of TLS to DHE_EXPORT (CVE-2015-4000)

  [JSA10681] Show Article Properties


Product Affected:
See Problem section below
Problem:
Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, and protocols that rely on TLS.

On May 20, 2015, researchers uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed:
  1. "Logjam attack" against the TLS protocol. The "Logjam attack" allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers.

  2. Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.
See https://weakdh.org for more inf​o.

Affected Products

  • Junos OS (XNM-SSL)*
  • Firefly Host

Products Not Affected

  • Junos OS (J-Web, SSH, IPsec/IKE)
  • Junos Space
  • ScreenOS
  • STRM/JSA
  • CTP/CTPView
  • NSM/NSMXpress
  • WXOS

* See Product Status in Solution section below for specific versions of Junos OS.

Background and SIRT Analysis:
There are two aspects to "Logjam", both related to Diffie-Hellman key exchange:
  1. Active downgrade attack of TLS sessions: Affects SSL/TLS → CVE-2015-4000
  2. Passive attack on a DH group <= 1024: Can affect SSL/TLS, IPsec/IKE, and SSH
The active downgrade attack (1) is very similar to the previously published FREAK vulnerability which has been addressed by JSA10679. The active attack is only against TLS sessions, and its purpose is to downgrade from a non-DHE_EXPORT ciphersuite to a DHE_EXPORT ciphersuite when the server supports DHE_EXPORT but the client does not.

The passive attack (2) is not technically considered a product security vulnerability by the Juniper SIRT, but rather a previously known weakness in smaller DH groups. As compute power increases, key strength must increase to maintain the same level of defense against brute force attack.


Solution:

Product Status

Junos:

• SSL/TLS:
SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL),
  • J-Web is not vulnerable.  Export cipher suites (1) negotiated by J-Web are disabled by default in all supported versions of Junos.
  • XNM-SSL vulnerable in earlier releases.  Export cipher suites (1) used by XNM-SSL follow the defaults for OpenSSL found within each version of Junos.  Export cipher suites are disabled by default in OpenSSL 1.0.1m and 0.9.8zf (Junos PR 1072809) corresponding to: Junos ​OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3R10, 12.3X48-D20, 13.2R8, 13.3R7, 14.1R5, 14.2R3, 15.1R1, and all subsequent releases.

• SSH:

SSH is configurable to use 2048-bit (dh-group14-sha1) keys with a default of 1024:

[edit system services ssh]
user@junos# set key-exchange ?

Possible completions:
[ Open a set of values
dh-group1-sha1 The RFC 4253 mandated group1 with SHA1 hash
dh-group14-sha1 The RFC 4253 mandated group14 with SHA1 hash
ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256
ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384
ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
group-exchange-sha1 The RFC 4419 group exchange with SHA1 hash
group-exchange-sha2 The RFC 4419 group exchange with SHA2-256 hash

• IPsec/IKE:

The paper describing this attack describes Diffie Hellman Group 1 as potentially vulnerable to an academic group, and DH Group 2 as potentially vulnerable to a nation-state actor. In order to avoid potential exposure, the use of these two groups should be avoided.  Pre-defined IKE exchange proposals shown below contain groups 1 and 2:

basic: Basic set of two IKE proposals:
Proposal 1: Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.
Proposal 2: Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.

compatible: Set of four commonly used IKE proposals:
Proposal 1: Preshared key, triple DES (3DES) encryption, and Gnutella2 (G2) and SHA-1 authentication.
Proposal 2: Preshared key, 3DES encryption, and DH group 2 and MD5 authentication.
Proposal 3: Preshared key, DES encryption, and DH group 2 and SHA-1 authentication.
Proposal 4: Preshared key, DES encryption, and DH group 2 and MD5 authentication.

standard: Standard set of two IKE proposals:
Proposal 1: Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication.
Proposal 2: Preshared key, Advanced Encryption Standard (AES) 128-bit encryption, and DH group 2 and SHA-1 authentication.

The same would apply to a custom IKE or IPSec proposal that contains references to groups 1 or 2. 

Note that Junos does not ship with pre-computed Diffie-Hellman keys (2). All DH keys are ephemeral; they are generated for a single SA and are never re-used.​

Junos Space:

Junos Space does not support Diffie-Hellman keys for SSL/TLS and is therefore not vulnerable (1).

The OpenSSH ​server used in Junos Space defaults to 2048-bit diffie-hellman-group14-sha1 (2)​, but can be configured to use other key exchange algorithms by modifying the KexAlgorithms parameter within /etc/ssh/sshd_config.​

The J2SSH client used in Junos Space to contact managed Junos devices uses 1024-bit diffie-hellman-group1-sha1.  Caution should be used in changing the SSH key exchange on Junos devices managed by Junos Space to confirm compatibility before deployment.  The J2SSH client will be enhanced in a future release to support stronger DH key exchanges (PR 1114514).

NSM:

Still under investigation.

ScreenOS:

ScreenOS is not vulnerable to the SSL/TLS downgrade attack​ (1).

ScreenOS supports Diffie-Hellman Groups 1, 2, 5 & 14:

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf

KB14667 also notes that ScreenOS supports DH Groups 5 and 14 (depending on version) which are currently considered strong enough to address concerns over brute-force attack (2).

Firefly Host:

Firefly Host appliance has two components namely SDC (Center) and SVM (Agent).

Based on this SVM was not vulnerable, as SVM is used as a medium for communication between ESX Hosts, SDC and other VMs present in the data center.

SDC module was vulnerable and it required the higher version of Java (version 8.0) to address this vulnerability, since the existing version of Java (1.6) supports SSL library with cipher key length as 768 bits only.

A patch has been created that contains the upgraded Java version 8.0 along with the code changes in the Center module required to support the new Java version.  This patch needs to be installed on 6.0R2.c-1-3 Release of Dashboard (mandatory).  Contact JTAC to obtain a copy of the patch for Firefly Host.

Installation Procedure
  • Copy the LogjamPatch.tar file to the FFH Dashboard using SSH/FTP/SCP to the location /home/admin.

  • Using tar command extract, the LogjamPatch.tar file
    $ tar -xvf LogjamPatch.tar

  • After execution of the above command, it will extract the list of files mentioned above.

  • Execute the script UpdatePath.sh as follows
    $ sh Update_LogjamPatch.sh

    Note: Please enter the sudo password, when prompted

  • The script will perform the actions
    1. Stop the services god and tomcat
    2. Applying the patch
      1. Upgrading the Java version from 1.6 to 1.8
      2. Apply code changes Patch required to meet the JDK version upgrade.
    3. Start the services god and tomcat

  • After completion of script execution, the system would be restarted to make the JDK version changes.

  • Log file (patch.log) will be created for this installation, to be shared in case of any errors encountered during the patch installation.

STRM/JSA:

httpd does not use export grade ciphers (1) and the Diffie-Hellman ciphers that are in use with httpd are 1024 bit (2). httpd will be updated to use 2048-bit Diffie-Hellman ciphers in a future release.

Server-side Java is not vulnerable as httpd controls the ciphers, however client-side Java connecting out to integrations may be vulnerable. Java will be updated in the near future to mitigate this.

CTP/CTPView:

CTP does not have an SSL/TLS listener and SSH is not configurable.

CTPView does not support Diffie-Hellman nor export-grade ciphers.

WXOS:

WXOS does not negotiate export grade ciphers (1) and is therefore not vulnerable to CVE-2015-4000.  WXOS also does not support Diffie-Hellman ciphers (2).
Workaround:

Junos:

Since only SSL Service for JUNOScript (XNM-SSL) is vulnerable, depending on version, viable workarounds for this issue in Junos may include:
  • Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes
  • Limit access to XNM-SSL from only trusted networks

Note that J-Web is not vulnerable in any release of Junos OS, and XNM-SSL is only vulnerable in releases prior to those listed in the Solution section above.


In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via SSL and SSH only from trusted, administrative networks or hosts.

Implementation:

Modification History:
Modification History:

2015-05-29: Initial publication
2015-06-01: Simplified IPsec/IKE description for Junos
2015-06-12: Confirmed NSM not vulnerable
2015-06-15: Removed J-Web workaround, since J-Web is not vulnerable
2015-08-27: Clarified difference between Junos Space OpenSSH server and J2SSH client
2015-09-18: Updated statement for WXOS
2016-04-27: Provided instructions to patch Firefly Host
2017-03-05: Category restructure.

Related Links:
CVSS Score:
4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Risk Level:
Low
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements: