Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, and protocols that rely on TLS.On May 20, 2015, researchers uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed:”Logjam attack” against the TLS protocol. The “Logjam attack” allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers.Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.​ See https://weakdh.org for more inf​o.Affected Products Junos OS (XNM-SSL)*WXOS Products Not Affected Junos OS (J-Web, SSH, IPsec/IKE) Junos Space ScreenOS STRM/JSA CTP/CTPView Products Under Investigation NSM/NSMXpress Firefly Host * See Product Status in Solution section below for specific versions of Junos OS.Background and SIRT Analysis: There are two aspects to “Logjam”, both related to Diffie-Hellman key exchange: Active downgrade attack of TLS sessions: Affects SSL/TLS → CVE-2015-4000 Passive attack on a DH group <= 1024: Can affect SSL/TLS, IPsec/IKE, and SSH The active downgrade attack (1) is very similar to the previously published FREAK vulnerability which has been addressed by JSA10679. The active attack is only against TLS sessions, and its purpose is to downgrade from a non-DHE_EXPORT ciphersuite to a DHE_EXPORT ciphersuite when the server supports DHE_EXPORT but the client does not.The passive attack (2) is not technically considered a product security vulnerability by the Juniper SIRT, but rather a previously known weakness in smaller DH groups. As compute power increases, key strength must increase to maintain the same level of defense against brute force attack.Product Status Junos: • SSL/TLS:SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL),J-Web is not vulnerable.  Export cipher suites (1) negotiated by J-Web are disabled by default in all supported versions of Junos. XNM-SSL vulnerable in earlier releases.  Export cipher suites (1) used by XNM-SSL follow the defaults for OpenSSL found within each version of Junos.  Export cipher suites are disabled by default in OpenSSL 1.0.1m and 0.9.8zf (Junos PR 1072809) corresponding to: Junos ​OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3R10, 12.3X48-D20, 13.2R8, 13.3R7, 14.1R5, 14.2R3, 15.1R1, and all subsequent releases.• SSH:SSH is configurable to use 2048-bit (dh-group14-sha1) keys with a default of 1024:
[edit system services ssh]
user@junos# set key-exchange ?

Possible completions:
[ Open a set of values
dh-group1-sha1 The RFC 4253 mandated group1 with SHA1 hash
dh-group14-sha1 The RFC 4253 mandated group14 with SHA1 hash
ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256
ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384
ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
group-exchange-sha1 The RFC 4419 group exchange with SHA1 hash
group-exchange-sha2 The RFC 4419 group exchange with SHA2-256 hash
• IPsec/IKE:The paper describing this attack describes Diffie Hellman Group 1 as potentially vulnerable to an academic group, and DH Group 2 as potentially vulnerable to a nation-state actor. In order to avoid potential exposure, the use of these two groups should be avoided.Configuration options that could select these options are:
[edit security group-vpn member ike policy policy-name]
[edit security group-vpn server ike policy policy-name]
[edit security ike policy policy-name] in which the policy includes a reference to any of the pre-defined IKE exchange proposals shown below that contain groups 1 and 2:basic: Basic set of two IKE proposals:Proposal 1: Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.Proposal 2: Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.compatible: Set of four commonly used IKE proposals:Proposal 1: Preshared key, triple DES (3DES) encryption, and Gnutella2 (G2) and SHA-1 authentication.Proposal 2: Preshared key, 3DES encryption, and DH group 2 and MD5 authentication.Proposal 3: Preshared key, DES encryption, and DH group 2 and SHA-1 authentication.Proposal 4: Preshared key, DES encryption, and DH group 2 and MD5 authentication.standard: Standard set of two IKE proposals:Proposal 1: Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication.Proposal 2: Preshared key, Advanced Encryption Standard (AES) 128-bit encryption, and DH group 2 and SHA-1 authentication.The same would apply to a custom IKE or IPSec proposal that contains references to groups 1 or 2. These are configured under:
[edit security ike proposal]
[edit security ipsec policy keys] Note that Junos does not ship with pre-computed Diffie-Hellman keys (2). All DH keys are ephemeral; they are generated for a single SA and are never re-used.​Junos Space: Junos Space does not support Diffie-Hellman keys for SSL/TLS and is therefore not vulnerable (1).OpenSSH ​defaults to 2048-bit diffie-hellman-group14-sha1 (2)​, but can be configured to use other key exchange algorithms by modifying the KexAlgorithms parameter within /etc/ssh/sshd_config.​NSM: Still under investigation.ScreenOS: ScreenOS is not vulnerable to the SSL/TLS downgrade attack​ (1).ScreenOS supports Diffie-Hellman Groups 1, 2, 5 & 14: http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf KB14667 also notes that ScreenOS supports DH Groups 5 and 14 (depending on version) which are currently considered strong enough to address concerns over brute-force attack (2).Firefly Host: Still under investigation.STRM/JSA: httpd does not use export grade ciphers (1) and the Diffie-Hellman ciphers that are in use with httpd are 1024 bit (2). httpd will be updated to use 2048-bit Diffie-Hellman ciphers in a future release.Server-side Java is not vulnerable as httpd controls the ciphers, however client-side Java connecting out to integrations may be vulnerable. Java will be updated in the near future to mitigate this.CTP/CTPView: CTP does not have an SSL/TLS listener and SSH is not configurable.CTPView does not support Diffie-Hellman nor export-grade ciphers.Junos:Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:Disabling J-WebDisable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changesLimit access to J-Web and XNM-SSL from only trusted networksNote that J-Web is not vulnerable in any release of Junos OS, and XNM-SSL is only vulnerable in releases prior to those listed in the Solution section above.In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via SSL and SSH only from trusted, administrative networks or hosts.Modification History: 2015-05-29: Initial publication

Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”

Leave a Reply