The Logjam Attack in bugzilla.mozilla.org:-

RESOLVED WONTFIX

Status

()

bugzilla.mozilla.org
Infrastructure
RESOLVED WONTFIX
3 years ago
2 years ago

People

(Reporter: Nithish Varghese, Unassigned)

Tracking

Production
Bug Flags:
sec-bounty -

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36

Steps to reproduce:

Hi Team,


I have found a vulnerability in your website. The complete details are
as follows:-




I found some weak cipher suites in bugzilla.mozilla.org which leads to Logjam Attack are as follows:-


TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	256



Patch:-

As the website is vulnerable, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. We have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.





Actual results:



I found some weak cipher suites in bugzilla.mozilla.org which leads to Logjam Attack are as follows:-


TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	256



Expected results:


##  :- The Logjam Attack in bugzilla.mozilla.org:-

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed:

Logjam attack against the TLS protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.
Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.


Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack. 




Patch:-

As the website is vulnerable, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. We have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.




I think that by these words, you understand what the problem is.

If possible please fix this as soon as possible.

Waiting for your reply. Please do a reply soon.

With Kind Regards

Nithish Varghese  (nithish.varghese2011@gmail.com)
Component: General → Infrastructure
QA Contact: mcote
Group: bugzilla-security → infra
Flags: sec-review?(jvehent)
Flags: sec-bounty?
(Reporter)

Comment 1

3 years ago
Hi Byron,

I am not understanding you. 
Please do me a proper reply. Waiting to hear you.

With Kind Regards
Nithish Varghese
The usage of a 1024 bits DHE parameter is needed to maintain compatibility with some ancient clients. As soon as possible, we'll upgrade, but it isn't possible today.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 3

3 years ago
Hi Julien,

Thank you for this response.

And any update with sec-bounty?

Waiting to hear you for this.

With kind Regards
Nithish Varghese
It does not qualify. This issue is not original and does not contain a method of compromise. I invite you to review the bug bounty guidelines here: https://www.mozilla.org/en-US/security/web-bug-bounty/
Flags: sec-review?(jvehent)
The "logjam attack" involved downgrading the advertised non-export key length to crackable "export" length keys. You haven't demonstrated that happens on bugzilla. 1024 bits is considered "at risk" (or weak) but not yet broken.
Flags: sec-bounty? → sec-bounty-
(Reporter)

Comment 6

3 years ago
Please have a look on to this:-

http://ssllabs.com/ssltest/analyze.html?d=bugzilla.mozilla.org

Waiting to hear you.     sec-bounty? or any Hall of Fame?
We are aware of the SSL Labs results for this domain and consider it "by design" / "acceptable as deployed" at this time, and per comment 4 and 5 do not consider it a security risk at this time.
(Reporter)

Comment 8

3 years ago
Certificate uses a weak signature.

The server does not support Forward Secrecy with the reference browsers.


Impact:-

Attackers might decrypt SSL traffic between your server and your visitors.

Remedy:-
Configure your web server to disallow using weak ciphers.

Waiting for your response .!!!
(Reporter)

Comment 9

3 years ago
How can you wait for an attacker crack down or decrypt the ssl trafic.

Then what was the use of SSL if this is set to weak.
:-(


Waiting to hear you.
Nithish, thank you for comment 8; we've made two improvements that address two of your listed concerns. (These improvements do not affect the security bounty decision.)

(In reply to Nithish Varghese from comment #8)

> Certificate uses a weak signature.

This has been addressed by deploying a SHA-2 certificate.

> The server does not support Forward Secrecy with the reference browsers.

This has been addressed by updating our software and altering the available ciphersuites.

Opening the bug to the public as there is no private security information contained within.
Group: infra
(Reporter)

Comment 11

2 years ago
Hi Richard,

Very happy to heard that it has been corrected now. And I can confirm that it has been updated.
Sir, if not a bounty, as you have patched the request made by me. So, please can I get listed in Firefox Hall Of Fame as a token of appreciation.

Waiting to hear you. Please do me a reply soon.

With Kind Regards
Nithish M. Varghese
(Reporter)

Comment 12

2 years ago
Hi Sir,

I would like to let you know one more thing that, after updating the certificates of your domain.
The weak DH Parameters has been increased which is as follows:-

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	256
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK	112


If possible do a fix for this also.

Waiting to hear you. Please do me a reply soon.

With Kind Regards
Nithish M. Varghese
As above, we understand the DH parameter issue you're reporting and have chosen to take no action. Hall of Fame is part of the bounty evaluation program. I defer to comment 4.
You need to log in before you can comment on or make changes to this bug.