Problem

The recently announced CVE-2015-4000 vulnerability is described in the US National Vulnerability Database (NVD) as follows:

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

This vulnerability (a.k.a. "Logjam") allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. An attacker can leverage the flaw to read and alter encrypted data. Websites, mail servers (SMTP, POP3S, IMAP), and other services that rely on TLS and support DHE_EXPORT ciphers are vulnerable.

Resolution

MailGate 5.3.0 and later do not use DHE_EXPORT ciphers, as they are disabled by default. Hence, MailGate is not vulnerable to CVE-2015-4000.

Useful links:

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=C...
• https://openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
• https://weakdh.org/imperfect-forward-secrecy.pdf
• http://blog.cryptographyengineering.com/2015/05/at...

Notes:

Researchers suspect that nation-scale adversaries may even have broken 1024-bit Diffie-Hellman for a few common groups. According to researchers, *though it remains speculation*, 1024-bit DH might be in range of being broken by a nation-state. According to their estimates, that’s about 45 million core years of computation. Therefore some PCI scans would alert that 1024-bit DH ciphers are weak. CVE-2015-4000 is related to the DHE_EXPORT ciphers, key-length of DH group is not concerning this vulnerability.

MailGate is using 1024-bit length Diffie-Hellman group. So if you would like to pass PCI scans and be SP 800-131A standard compliant, disabling the 1024 DH ciphers should be considered. MG supports Elliptic-Curve Diffie-Hellman (ECDHE) ciphers, so after disabling the DH group, ECDHE will still be in use. ECDHE is relatively new algorithm and not as widely supported, thus it is possible that some legacy SMTP servers may not support it and have problems because of this. ECDHE is supported by all major modern web browsers, web and mail server implementations nowadays.

Disabling DH ciphers, if required, will require remote access to the appliance, thus please contact Axway Global Support for assistance.

Please find below a description on what is changed on the backend in order to disable the DH ciphers for both HTTPS and SMTP:

1. Disabling DH for HTTPS connections:
   • Under /var/corvigo/etc/httpd/conf/httpd.conf file:
     Line 774:
     SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
     
     is replaced with:
     SSLCipherSuite ALL:!aNULL:!ADH:!DH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
     
   • Restart httpd service with the command:
     /etc/init.d/tmwd-httpd restart
2. Disabling DH for SMTP connections:
   • Under /etc/postfix/main.cf file:
     At the end of the line smtp_tls_exclude_ciphers (originally line 991) just add DH, so it looks like:
     smtp_tls_exclude_ciphers = LOW,CAMELLIA,SEED,PSK,IDEA,eNULL,SSLv2,EXP,RC2,aNULL,DH
     
   • Doing the same for the next line - smtpd_tls_exclude_ciphers (originally line 992):
     smtpd_tls_exclude_ciphers = LOW,CAMELLIA,SEED,PSK,IDEA,eNULL,SSLv2,EXP,RC2,aNULL,DH
   • Restart postfix service using the command below:
     /etc/init.d/postfix restart