by David Schwalenberg
June 23, 2015
The Logjam attack (CVE-2015-4000) exploits a flaw in the TLS protocol that allows a man-in-the-middle attacker to downgrade the cryptography on vulnerable TLS connections, allowing the attacker to read and modify data sent over the connection. The Logjam attack affects all web browsers and any server that still supports weak export-grade cryptography. This dashboard assists organizations with finding systems that are vulnerable to the Logjam attack so that they can be patched and properly configured.
The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends.
The dashboard requirements are:
- SecurityCenter 4.8.2
- Nessus 6.3.4
- PVS 4.2.0
- LCE 4.4.1
The components in this dashboard primarily use active detections, passive detections, and event-based detections based on the CVE string to search for Logjam attack vulnerabilities. However, the Potentially at Risk Subnets component provides a list of all subnets containing systems that are using the TLS protocol. Since the Logjam attack makes use of a flaw in TLS, any applications using that protocol on the noted systems (such as web browsers, web and mail servers, and custom applications) are potentially at risk. These applications should be investigated, fully patched, and correctly configured.
The Patches Applied Status component reports progress on mitigating Logjam attack vulnerabilities. The "Detected" row displays hosts and vulnerabilities with the CVE within the cumulative vulnerability database. The "Patched" row also uses the CVE, but it searches within the mitigated vulnerability database. When a host is scanned, the scan results are stored in the cumulative database, where current vulnerabilities are stored. When the host is scanned again, if the vulnerability is no longer present, it is considered mitigated and the results are moved to the mitigated database. As mitigation efforts proceed, the counts of hosts and vulnerabilities in this component should move from the Detected row to the Patched row.
SecurityCenter Continuous View (CV) provides organizations with proactive continuous monitoring to identify the newest threats across the entire enterprise. SecurityCenter CV enables the organization to react to advanced threats, zero-day vulnerabilities and new forms of regulatory compliance. SecurityCenter CV supports more technologies than any other vendor, including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure.
Listed below are the included components:
- At Risk to Logjam - Vulnerable Subnets - Using the Logjam CVE to match vulnerabilities, this table provides a list of subnets and the count of systems that are confirmed vulnerable to the Logjam attack. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify data sent over the connection. The table shows the affected subnets, total number of vulnerabilities, and a summary bar that is broken down by severity.
- At Risk to Logjam - Potentially At Risk Subnets (TLS Traffic Negotiation Detection) - This table provides a list of subnets and the count of systems that are using the TLS protocol. Since the Logjam attack makes use of a flaw in TLS, any systems using that protocol are potentially at risk. Make sure that all applications that use TLS on the noted systems (such as web browsers, web and mail servers, and custom applications) are fully patched and correctly configured.
- At Risk to Logjam - Patches Applied Status - This matrix reports progress on mitigating Logjam attack vulnerabilities. The "Detected" row displays hosts and vulnerabilities using the Logjam CVE within the cumulative vulnerability database. The "Patched" row also uses the Logjam CVE, but it searches within the mitigated vulnerability database. When a host is scanned, the scan results are stored in the cumulative database, where current vulnerabilities are stored. When the host is scanned again, if the vulnerability is no longer present, it is considered mitigated and the results are moved to the mitigated database. As mitigation efforts proceed, the counts of hosts and vulnerabilities in this component should move from the Detected row to the Patched row.
- At Risk to Logjam - Vulnerability Summary - Using the Logjam CVE to match vulnerabilities, this table provides a list of Logjam attack vulnerabilities sorted by severity. This provides a quick overview of the current vulnerabilities on the network. The analyst will need to drill down into each vulnerability to fully understand the associated risk. The table is sorted by severity level, showing the critical and high severity vulnerabilities at the top.
- At Risk to Logjam - Detection from Log Analysis - The Log Correlation Engine (LCE) collects and correlates log events to detect network activity and anomalies. When the LCE detects an event that indicates that a weak export cipher suite is in use (a potential Logjam attack), it triggers an event vulnerability that includes the Logjam CVE. This component provides a count of hosts on which this vulnerability was detected and a count of the vulnerability detections.
- Where is the POODLE - SSL Plugins - All the plugins that refer to SSL or certificates have been grouped into these indicators. An indicator will not be highlighted if no matches are found; however, if a match is found, the color will change. If all the plugins applied to the indicator have a severity of info or low, then the indicator will turn blue. If any of the selected plugins are medium, high, or critical, the color of the indicator will change to yellow, orange, or red accordingly. However, if there is a mix of info, low, medium, and high, the indicator will be purple. Indicators with a critical severity plugin will always be red.