A CVE-2015-4000 vulnerability in the TLS protocol implementation, so called 'Logjam'. Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS.
"The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable."
There is an additional whitepaper available that also describes this vulnerability.
Operating system (OS) vendors released the following security advisories to address this vulnerability:
Apply the script on a test environment first. Contact Plesk Technical Support in case of any arising issues.
The script will patch properly if you have an OpenSSL version 1.0.1 and higher, becasue earlier versions do not have TLS v1.1 and TLS v1.2 support.
~# wget http://kb.odin.com/Attachments/kcs-51784/SSLfix.zip ~# unzip SSLfix.zip ~# chmod +x SSLfix.sh
./SSLfix.sh [v3|dh] [service name like apache, nginx]
Without arguments it will patch all services configuration for SSLv3 (Poodle) and weak DH (Logjam)
NOTE: The script also protects from CVE-2014-3566: POODLE attack.
- Open the Group Policy Object Editor (i.e., run
gpedit.mscin the command prompt).
- Expand Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
- Under SSL Configuration Settings, open the SSL Cipher Suite Order setting.
- Set up a strong cipher suite order. See this list of Microsoft's supported ciphers and Mozilla's TLS configuration instructions.