What is the Logjam vulnerability?
Another flaw has been found in the basic encryption algorithms that secure the Internet. This flaw, named the Logjam attack (CVE-2015-4000) by its discoverers (researchers from various universities and companies), allows an attacker that can carry out man-in-the-middle attacks to weaken the encryption used in secure connections (such as HTTPS, SSH, and VPNs). In theory, this means that an attacker (with sufficient resources) can break the encryption and read the “secure” traffic.
Logjam’s activities are reminiscent of the FREAK vulnerability discovered in March. FREAK forces a secure connection to utilize weaker encryption that makes it easy for cybercriminals to pounce on sensitive information.
The difference with Logjam is that the problem lies in a weakness found on the Diffie-Hellman key exchange. Websites and email servers make use of SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols to create a secure connection among users. The Diffie-Hellman key exchange is primarily responsible for the communication and exchange of encryption keys that are used to secure a connection.
The Logjam attack makes it easy to lower TLS connections to the level of those that use 512-bit “export-grade” encryption. In turn, cybercriminals can dupe a server into accepting weaker encryption, thinking it is secure enough. This then gives them the chance to intercept the data that passes through the connection.
Who is impacted by Logjam?
Theoretically, any protocol that uses the Diffie-Hellman key exchange is at risk from this attack. However, note that this attack requires two factors on the part of the attacker: the ability to intercept traffic between the secure server and the client, as well as significant computation resources.
As of May 26, 2015, researchers have indicated that major browsers by Mozilla, Google, Microsoft, and Apple, among others, are working on fixes to address this vulnerability. End-users can also check if their browser is vulnerable by visiting this site.
Software developers are encouraged to check that any encryption libraries that are used or bundled with their applications are all up to date. In addition, the use of larger prime numbers for key exchange can be specified as well.
IT administrators with servers that use any of the at-risk services and protocols may perform the following actions:
- Disable support for all export cipher suites, to ensure they cannot be used.
- Increase the number of bits used by the prime numbers in the Diffie-Hellman key exchange to 2048 bits; this ensures that exceptional computational powers would be needed to break any encryption based on this process.
Does Trend Micro offer any protection against this vulnerability?
Fortunately, Trend Micro has some solutions that already provide protection against this threat.
Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers with the latest rules also have an additional layer of protection against this vulnerability.
Specifically, Trend Micro has released the following rules and patterns for proactive protection:
- Security Update 15-016 for Deep Security (DSRU15-016)
- Deep Packet Inspection (DPI) rule 1006561 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response
- Deep Packet Inspection (DPI) rule 1006562 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request
What Trend Micro products are affected?
|InterScan Messaging Security Suite (IMSS)||7.1 and 7.5 Windows||IMSS 7.1 Critical Patch 1326|
IMSS 7.5 Critical Patch 1326
|ServerProtect for Linux (SPLX)||RHEL 4/5/6 Centos 4/5/6 and SUSE 10/11||SPLX 3 Product Patch 6|
Trend Micro’s Product Vulnerability Response and Service Engineering teams are conducting a thorough analysis of our products and services to identify if other technologies may be affected.
What if my product is not listed?
If the product has not reached End-of-Support, it is most likely that Trend Micro is still analyzing the vulnerability and its impact on your product. As soon as the analysis is completed, the product will be added in the list.
What if I have additional questions?
For additional inquiries, contact Technical Support.
More information on the Logjam vulnerability can be found by visiting Trend Micro’s Security Blog: