SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
(CentOS Issues Fix) OpenSSL TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections
SecurityTracker Alert ID:  1032507
SecurityTracker URL:  http://securitytracker.com/id/1032507
CVE Reference:   CVE-2015-4000   (Links to External Site)
Date:  Jun 5 2015
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user may be able to decrypt TLS connections in certain situations.

A remote user that can conduct a man-in-the-middle attack can cause the target system to downgrade the Diffie-Hellman algorithm to 512-bit export-grade cryptography. The remote user may then be able to decrypt the connection.

This vulnerability resides in the TLS protocol and not in the specific TLS implementation, but the vulnerability is exposed because the target system supports export-grade ciphers.

This attack is known as the "Logjam" attack.

The original advisory is available at:

https://weakdh.org/imperfect-forward-secrecy.pdf

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thome, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Beguelin, and Paul Zimmermann reported this vulnerability.

Impact:   A remote user that can conduct a man-in-the-middle attack can cause the target system to use weak cryptography that can be decrypted.
Solution:   CentOS has issued a fix (Advisory CESA-2015:1072).
Vendor URL:  www.openssl.org/news/secadv_20150611.txt (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6

Message History:   This archive entry is a follow-up to the message listed below.
Jun 3 2015 OpenSSL TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1072 Moderate CentOS 6 openssl Security Update


CentOS Errata and Security Advisory 2015:1072 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1072.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
61a340e1f4c073fce63dcaeb0c20330451f09fb2e63f170da1bcbb359df24fe3  openssl-1.0.1e-30.el6.9.i686.rpm
e2d72bc63138543ec5d3324ecf4b5bbb934fd5d4c5ba8d2238b6eb3f45c36cd6  openssl-devel-1.0.1e-30.el6.9.i686.rpm
3161722f72ab9ef7437a755e494d088eee710a6d94d24c874629569494e3a766  openssl-perl-1.0.1e-30.el6.9.i686.rpm
b38a56910840a8a55b604641cb6069a8b7ef01aaa2710bc4c6c5cc4a58df403e  openssl-static-1.0.1e-30.el6.9.i686.rpm

x86_64:
61a340e1f4c073fce63dcaeb0c20330451f09fb2e63f170da1bcbb359df24fe3  openssl-1.0.1e-30.el6.9.i686.rpm
abf1c59ad113a230124ecefde6e2ef1cad8a21e52b2545a72b57e6d4fb6a1477  openssl-1.0.1e-30.el6.9.x86_64.rpm
e2d72bc63138543ec5d3324ecf4b5bbb934fd5d4c5ba8d2238b6eb3f45c36cd6  openssl-devel-1.0.1e-30.el6.9.i686.rpm
0aa7aeeecee811ec3ccfbbdce757025e6cddf3b8e1c9b0d9e6de70a9edb8e89e  openssl-devel-1.0.1e-30.el6.9.x86_64.rpm
630717c9db143cb84e3110247be1b71cecd37978c745bfed02cf3632ea2541d8  openssl-perl-1.0.1e-30.el6.9.x86_64.rpm
9fc173b782d134200cc370521ba537601950fed0451d2535fd2c9c6adb6e1f7f  openssl-static-1.0.1e-30.el6.9.x86_64.rpm

Source:
ec7e2f4d6983f9e3c8537b340bc68df69c15440676b48d6bda49b90e721762d0  openssl-1.0.1e-30.el6.9.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC