Logjam TLS Attack (Weak Diffie-Hellman) and Novell Products

  • 7016528
  • 20-May-2015
  • 01-Jun-2015

Environment

Novell Filr
Novell GroupWise
Novell GroupWise Mobile Server
Novell iPrint
Novell Messenger
Novell Open Enterprise Server
Novell ZENworks
Novell Vibe

Situation

In May of 2015 researchers announced a weakness in how the Diffie-Hellman (DH) key exchange is used in many encrypted connection protocols. A weakness in the TLS protocol could allow a man-in-the-middle to downgrade a DH key exchange to an export grade (weaker) DH key exchange, thereby allowing the attacker to calculate the TLS session key and read or modify all encrypted traffic. Additionally a passive attacker with sufficient computing resources may be able to eavesdrop on encrypted communications between two parties that use weak and/or common Diffie-Hellman primes in their key exchange.

For more information see: https://weakdh.org and https://www.suse.com/security/cve/CVE-2015-4000.html

Resolution

The active man-in-the-middle attack is only applicable in scenarios where the server allows the use of an export-grade Diffie-Hellman cipher suite. As a general rule, all Novell products are configured by default to disallow the export cipher suites. We are working with individual engineering teams to verify that this is the case. See the individual product sections below for more detail.

The passive attack can be mitigated by either choosing a sufficiently large and random Diffie-Hellman prime or by enabling Elliptic Curve Diffie-Hellman (ECDH) key exchange.
Novell is investigating how the Logjam vulnerability affects each of our products, and this TID will be updated with more information as soon as it is available.

 

Novell Filr 1.1 and 1.2

  •  Web Application: Export cipher suites disabled. Server does NOT support ECDH. Uses a 1024 bit prime for DH key exchange
  • Appliance Configuration (port 9443): Export cipher suites are disabled. Server does NOT support ECDH. Uses a 1024 bit prime for DH key exchange.

Novell GroupWise 

Versions 12.0.x and 14.0.x

·         POA, MTA, GWIA, DVA – Export cipher suites are disabled. Additionally these agents are not configured to do Diffie-Hellman key exchange.

·         WebAccess, Calendar Publisher, Monitor – TLS configuration is handled by the hosting web server (either Apache or Microsoft IIS). Consult your web server document for appropriate parameters.

Version 14.0.x
  • Admin Console/Service - Export cipher suites are disabled. Server supports ECDH. Uses a 768 bit prime for DH key exchange.
  • Planned for future 2014 update: Upgrade DH key exchange to JRE default of 1024-bit. Enable ECDH for GroupWise POA, MTA, GWIA, DVA.

 

Novell GroupWise Mobile Server

  • Export algorithms are disabled. Not configured for Diffie-Hellman key exchange.

 

Novell iPrint

  • Appliance Configuration (port 9443): Export cipher suites are disabled. Server does NOT support ECDH. Uses a 1024 bit prime for DH key exchange.
  • eDir: After assessment, eDir team concludes that eDir is not vulnerable
  • All other iPrint services: Export ciphers are disabled. Do not support ECDH. Either not configured for DH key exchange or uses at least a 1024 bit prime.

 

Novell Messenger

Version 3.0.x

·         Messaging Agent, Archive Agent – Export cipher suites disabled. Server supports ECDH. Not configured for non-elliptic curve DH key exchange.
 

Novell Open Enterprise Server

  • Information on SuSE Linux Enterprise Server can be found in this TID: https://support.microfocus.com/kb/doc.php?id=7016529
  • SMS: After assessment, SMS team concludes that SMS is not vulnerable. Server does not support ECDH. Diffie-Hellman key exchange uses 1024 bit prime.
  • AFP: After assessment, AFP team concludes that AFP is not vulnerable.
  • eDir: After assessment, eDir team concludes that eDir is not vulnerable.
  • All other OES services: Export ciphers are disabled. Do not support ECDH. Either not configured for DH key exchange or uses at least a 1024 bit prime.

 

Novell Vibe 3.4 and 4.0

  • Web Application: Export cipher suites disabled. Server supports ECDH. Uses a 1024 bit prime for DH key exchange.

 

Novell ZENWorks

  • ZENworks Server: Export ciphers are disabled. Server does NOT support ECDH. Diffie-Hellman key exchange uses 1024 bit prime.
  • SSH Server: The SSH server included in the ZENworks appliance may be vulnerable in its default configuration. You can harden the SSH server by removing the diffie-hellman-group1-* algorithms from the list of supported key exchange algorithms. For more information please see the OpenSSH section on https://weakdh.org/sysadmin.html
  • Other SSL services: Export ciphers are disabled

Status

Security Alert