The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability 16951

TLS, SSH, VPN: weakening Diffie-Hellman via common primes

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can obtain the DH keys used by the TLS/SSH/VPN client/server, in order to more easily capture or alter exchanged data.
Severity of this announce: 2/4.
Creation date: 20/05/2015.
Références of this computer vulnerability: VIGILANCE-VUL-16951.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Diffie-Hellman algorithm is used to exchange cryptographic keys. It is used by TLS, SSH and VPNs (IPsec).

Most servers use the same prime numbers (standardized in RFC 3526). An attacker can thus pre-compute values (100000 core CPU hours, so during a week for 512 bits with 100 computers approximately) and use the "number field sieve discrete log algorithm" attack to quickly obtain the used DH keys, and decrypt a session.

The 512 bits sets are considered as broken, and the 1024 bits sets are considered as breakable by a state.

For TLS, this vulnerability can be exploited after Logjam (VIGILANCE-VUL-16950).

An attacker, located as a Man-in-the-Middle, can therefore obtain the DH keys used by the TLS/SSH/VPN client/server, in order to more easily capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

This weakness bulletin impacts software or systems such as Apache httpd, AnyConnect VPN Client, IVE OS, Juniper SA, lighttpd, nginx, OpenSSH, OpenSSL, Openswan, Postfix, SSL protocol, Sendmail.

Our Vigil@nce team determined that the severity of this computer weakness is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this vulnerability announce.

Solutions for this threat

TLS, SSH, VPN: solution for common primes.
The solution is to generate a unique 2048-bit Diffie-Hellman group, but there is an incompatibility risk with Java 7 or IE < 8 (http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#javadh). Details are indicated in information sources.
For example, for Apache httpd:
 - Generate a unique 2048-bit Diffie-Hellman group:
    openssl dhparam -out dhparams.pem 2048
 - Add the new DH group using the directives :
   - SSLCertificateFile (OpenSSL < 1.0.2), which indicates the files which has to end by the content of dhparams.pem (cat dhparams.pem >> sslcertfile)
   - SSLOpenSSLConfCmd (OpenSSL 1.0.2)
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a systems vulnerabilities watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.