-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
2015-05 Out of Cycle Security Bulletin: "Logjam" passive attack on sub-1024
DH groups, and active downgrade attack of TLS to DHE_EXPORT (CVE-2015-4000)
1 June 2015
AusCERT Security Bulletin Summary
Product: Junos OS (XNM-SSL)
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
CVE Names: CVE-2015-4000
- --------------------------BEGIN INCLUDED TEXT--------------------
2015-05 Out of Cycle Security Bulletin: "Logjam" passive attack on sub-1024 DH
groups, and active downgrade attack of TLS to DHE_EXPORT (CVE-2015-4000)
Security Advisories ID: JSA10681
Last Updated: 29 May 2015
See Problem section below
Diffie-Hellman key exchange is a popular cryptographic algorithm that allows
Internet protocols to agree on a shared key and negotiate a secure connection.
It is fundamental to many protocols including HTTPS, SSH, IPsec, and protocols
that rely on TLS.
On May 20, 2015, researchers uncovered several weaknesses in how
Diffie-Hellman key exchange has been deployed:
"Logjam attack" against the TLS protocol. The "Logjam attack" allows a
man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit
export-grade cryptography. This allows the attacker to read and modify any
data passed over the connection. The attack is reminiscent of the FREAK
attack, but is due to a flaw in the TLS protocol rather than an implementation
vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA
key exchange. The attack affects any server that supports DHE_EXPORT ciphers.
Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN
servers all use the same prime numbers for Diffie-Hellman key exchange.
Practitioners believed this was safe as long as new key exchange messages were
generated for every connection. However, the first step in the number field
sievethe most efficient algorithm for breaking a Diffie-Hellman connectionis
dependent only on this prime. After this first step, an attacker can quickly
break individual connections.
See https://weakdh.org for more inf?o.
Junos OS (XNM-SSL)*
Products Not Affected
Junos OS (J-Web, SSH, IPsec/IKE)
Products Under Investigation
* See Product Status in Solution section below for specific versions of Junos
Background and SIRT Analysis:
There are two aspects to "Logjam", both related to Diffie-Hellman key
Active downgrade attack of TLS sessions: Affects SSL/TLS ? CVE-2015-4000
Passive attack on a DH group <= 1024: Can affect SSL/TLS, IPsec/IKE, and
The active downgrade attack (1) is very similar to the previously published
FREAK vulnerability which has been addressed by JSA10679. The active attack is
only against TLS sessions, and its purpose is to downgrade from a
non-DHE_EXPORT ciphersuite to a DHE_EXPORT ciphersuite when the server
supports DHE_EXPORT but the client does not.
The passive attack (2) is not technically considered a product security
vulnerability by the Juniper SIRT, but rather a previously known weakness in
smaller DH groups. As compute power increases, key strength must increase to
maintain the same level of defense against brute force attack.
SSL is used for remote network configuration and management applications such
as J-Web and SSL Service for JUNOScript (XNM-SSL),
J-Web is not vulnerable. Export cipher suites (1) negotiated by J-Web are
disabled by default in all supported versions of Junos.
XNM-SSL vulnerable in earlier releases. Export cipher suites (1) used by
XNM-SSL follow the defaults for OpenSSL found within each version of Junos.
Export cipher suites are disabled by default in OpenSSL 1.0.1m and 0.9.8zf
(Junos PR 1072809) corresponding to: Junos ?OS 12.1X44-D55, 12.1X46-D40,
12.1X47-D25, 12.3R10, 12.3X48-D20, 13.2R8, 13.3R7, 14.1R5, 14.2R3, 15.1R1, and
all subsequent releases.
SSH: SSH is configurable to use 2048-bit (dh-group14-sha1) keys with a
default of 1024:
[edit system services ssh]
user@junos# set key-exchange ?
[ Open a set of values
dh-group1-sha1 The RFC 4253 mandated group1 with SHA1 hash
dh-group14-sha1 The RFC 4253 mandated group14 with SHA1 hash
ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256
ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384
ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
group-exchange-sha1 The RFC 4419 group exchange with SHA1 hash
group-exchange-sha2 The RFC 4419 group exchange with SHA2-256 hash
The paper describing this attack describes Diffie Hellman Group 1 as
potentially vulnerable to an academic group, and DH Group 2 as potentially
vulnerable to a nation-state actor. In order to avoid potential exposure, the
use of these two groups should be avoided.
Configuration options that could select these options are:
[edit security group-vpn member ike policy policy-name]
[edit security group-vpn server ike policy policy-name]
[edit security ike policy policy-name]
in which the policy includes a reference to any of the pre-defined IKE
exchange proposals shown below that contain groups 1 and 2:
basic: Basic set of two IKE proposals:
Proposal 1: Preshared key, Data Encryption Standard (DES) encryption, and
Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1)
Proposal 2: Preshared key, DES encryption, and DH group 1 and Message Digest 5
compatible: Set of four commonly used IKE proposals:
Proposal 1: Preshared key, triple DES (3DES) encryption, and Gnutella2 (G2)
and SHA-1 authentication.
Proposal 2: Preshared key, 3DES encryption, and DH group 2 and MD5
Proposal 3: Preshared key, DES encryption, and DH group 2 and SHA-1
Proposal 4: Preshared key, DES encryption, and DH group 2 and MD5
standard: Standard set of two IKE proposals:
Proposal 1: Preshared key, 3DES encryption, and DH group 2 and SHA-1
Proposal 2: Preshared key, Advanced Encryption Standard (AES) 128-bit
encryption, and DH group 2 and SHA-1 authentication.
The same would apply to a custom IKE or IPSec proposal that contains
references to groups 1 or 2. These are configured under:
[edit security ike proposal]
[edit security ipsec policy keys]
Note that Junos does not ship with pre-computed Diffie-Hellman keys (2). All
DH keys are ephemeral; they are generated for a single SA and are never
Junos Space does not support Diffie-Hellman keys for SSL/TLS and is therefore
not vulnerable (1).
OpenSSH ?defaults to 2048-bit diffie-hellman-group14-sha1 (2)?, but can be
configured to use other key exchange algorithms by modifying the KexAlgorithms
parameter within /etc/ssh/sshd_config.?
Still under investigation.
ScreenOS is not vulnerable to the SSL/TLS downgrade attack? (1).
ScreenOS supports Diffie-Hellman Groups 1, 2, 5 & 14:
KB14667 also notes that ScreenOS supports DH Groups 5 and 14 (depending on
version) which are currently considered strong enough to address concerns over
brute-force attack (2).
Still under investigation.
httpd does not use export grade ciphers (1) and the Diffie-Hellman ciphers
that are in use with httpd are 1024 bit (2). httpd will be updated to use
2048-bit Diffie-Hellman ciphers in a future release.
Server-side Java is not vulnerable as httpd controls the ciphers, however
client-side Java connecting out to integrations may be vulnerable. Java will
be updated in the near future to mitigate this.
CTP does not have an SSL/TLS listener and SSH is not configurable.
CTPView does not support Diffie-Hellman nor export-grade ciphers.
Since SSL is used for remote network configuration and management applications
such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for
this issue in Junos may include:
Disable SSL service for JUNOScript and only use Netconf, which makes use
of SSH, to make configuration changes
Limit access to J-Web and XNM-SSL from only trusted networks
Note that J-Web is not vulnerable in any release of Junos OS, and XNM-SSL is
only vulnerable in releases prior to those listed in the Solution section
In addition to the recommendations listed above, it is good security practice
to limit the exploitable attack surface of critical infrastructure networking
equipment. Use access lists or firewall filters to limit access to the router
via SSL and SSH only from trusted, administrative networks or hosts.
2015-05-29: Initial publication
The Logjam Attack
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
JSA10679: 2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----