A vulnerability recently exposed in Diffie-Hellman key exchange for TLS is potentially serious. However it can be mitigated by doing the following on all of your TLS/SSL enabled systems:

  • Disable the use of export cipher suites. These suites are legacy ciphers mandated due to US encryption law prior to January 2000 which prohibited the export of “strong” encryption. They are no longer required.
  • Generate and deploy a 2048-bit Diffie-Hellman group.
  • Deploy Ephermal Elliptic-Curve Diffie-Hellman (ECDHE) based cipher suites.

Due to the nature of this vulnerability, we do not currently have signatures for detecting an exploit attempt in progress. However, we are actively researching methods of detection that can be rolled out to our sensors.

What We Know

The mechanics of this exploit require Man-in-the-Middle access to the network between the client and server, which makes the largest potential threat either internal users or outside users accessing an insecure network. 

Affected known Protocols (TLS):

  • HTTPS  
  • SMTP+StartTLS  
  • POP3S  
  • IMAPS  
  • SSH  
  • VPN  

The below post on the Logjam attack outlines the configuration changes needed generate a unique 2048-bit Diffie-Hellman group on common servers applications and will allow Server Test for HTTPS web servers.  
https://weakdh.org/sysadmin.html (Site experiencing heavy load)

eSentire Defenses

eSentire has confirmed that our internal systems and the sensors deployed at client sites are protected against this threat.  Current eSentire Continuous Vulnerability Service subscribers will receive in their next monthly report the details of any systems vulnerable to this attack. 

Further Protection

How to further protect yourself from these (and other) emerging threats: 

  • Ensure that all servers and browsers products are up-to-date.

Resources

eSentire Media Contacts

Mandy Bachus | eSentire | [email protected] | +1 519.651.2200 x5226 | @MandyBachus

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?
Talk to us today.
Let's Talk