SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
(CentOS Issues Fix) OpenSSL TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections
SecurityTracker Alert ID:  1032508
SecurityTracker URL:  http://securitytracker.com/id/1032508
CVE Reference:   CVE-2015-4000   (Links to External Site)
Date:  Jun 5 2015
Impact:   Modification of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user may be able to decrypt TLS connections in certain situations.

A remote user that can conduct a man-in-the-middle attack can cause the target system to downgrade the Diffie-Hellman algorithm to 512-bit export-grade cryptography. The remote user may then be able to decrypt the connection.

This vulnerability resides in the TLS protocol and not in the specific TLS implementation, but the vulnerability is exposed because the target system supports export-grade ciphers.

This attack is known as the "Logjam" attack.

The original advisory is available at:

https://weakdh.org/imperfect-forward-secrecy.pdf

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thome, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Beguelin, and Paul Zimmermann reported this vulnerability.

Impact:   A remote user that can conduct a man-in-the-middle attack can cause the target system to use weak cryptography that can be decrypted.
Solution:   CentOS has issued a fix (Advisory CESA-2015:1072).
Vendor URL:  www.openssl.org/news/secadv_20150611.txt (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Jun 3 2015 OpenSSL TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1072 Moderate CentOS 7 openssl Security Update


CentOS Errata and Security Advisory 2015:1072 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1072.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
23939456cb1c15c92a2dbd2bd3ad55b548fccfdab765b62402628fb5c6ccc374  openssl-1.0.1e-42.el7.6.x86_64.rpm
fb2d6d5e3cb02a1326f147ebf1523ec0040cf28fcb03de221081921706e6d148  openssl-devel-1.0.1e-42.el7.6.i686.rpm
30badcd3e211e702b31e30f062dbbf33bc4d4b7574ae711d480c15cb23c6109d  openssl-devel-1.0.1e-42.el7.6.x86_64.rpm
6b810bba11af22159377a0bd57c60f39a26e2595d786fc71dc0526419f0f6d74  openssl-libs-1.0.1e-42.el7.6.i686.rpm
0216a002329c6a7521802189a135aa8eeaafe2f572a410fc668c97c8725b5240  openssl-libs-1.0.1e-42.el7.6.x86_64.rpm
e6df95089fdfcea486ccc022b4e627e63e1343c633a255485a6b5052f34b5bdf  openssl-perl-1.0.1e-42.el7.6.x86_64.rpm
0b3df8f98c4c7ec137c084bfacf19f5c13aa8c333cf0f1d7a80621869856d88a  openssl-static-1.0.1e-42.el7.6.i686.rpm
c3ac3aa63c1a9be69bab396dae351d90ac70e0cb4616284652537471aef0c5ac  openssl-static-1.0.1e-42.el7.6.x86_64.rpm

Source:
f657c1010ec82fe8450559fa3ea64de6165a85a14b114029b4906ac3439f1ac5  openssl-1.0.1e-42.el7.6.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC