This article applies to:
- SWG 11.0
- SWG 11.5
- SWG 11.6
Question:
- How to apply hotfix for Logjam vulnerability on SWG acting as a server and a client.
Procedure:
Logjam vulnerability is related to Diffie-Hellman key exchange which allows Internet protocols such as HTTPS, SSH, IPsec, SMTPS and other that depend on TLS to agree on a shared key and negotiate a secure connection.
Diffie-Hellmankey exchange is a cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, and protocols that rely on Transport Layer Security (TLS).
This hotfix addresses weaknesses in how Diffie-Hellman key exchange is deployed,which can result in a Logjam attack against the TLS protocol. The vulnerability is attributable to a flaw in the TLS protocol rather than an implementation vulnerability.
A Logjam attack can affect any server that supports Ephemeral Diffie-Hellman export ciphers, as well as all modern web browsers. The attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography, enabling the attacker to read and modify any data passing over the connection.
SWG in this case can act as Client and as Server. Please see below steps to apply the hotfix:
For SWG acting as a Server:
Auto hotfix (AHF) has been already released for downloading for SWG running software version v11.0,v11.5,v11.6. This patch will cause SSHd to not support Export Diffie Helman key exchange.
Please note that our HTTPS service doesn't support EDH already therefore no change is needed.
For SWG acting as a Client:
After installing this hotfix, SWG will no longer support cipher suites using authenticated ephemeral Diffie-Helman (EDH) key agreements. Some websites will only negotiate TLS with this cipher, and so will no longer work. If the operation of such websites is critical, you can revert the change and allow SWG to use that cipher again.
For this reason we created a separate patch which is not being distributed by any of SWG HotFixes (AHF,RHF,MHF).
This general patch disables EDH support automatically after the installation and puts additional script in case customer want to revert back the changes.
Patch installation on SWG v11.5/11.6/11.7:
To install this Hotfix (if you have already downloaded the Hotfix file, ignore steps 1-4):
1. Download the Hotfix from the FTP site to your local desktop ( hotfix link is also attached to this KB article). Note that you can verify the Hotfix content using the md5 utility against the md5 file from the FTP.
2. In the Management Console, navigate to Settings > Updates > Updates Management.
3. Click Import Updates at the lower right of the screen.
4. In the Local Update Import window that opens, browse to the Hotfix fup file on your desktop; select it and click Upload in the window. The Hotfix will appear in the Available Updates window. If it does not appear right away, click the Refresh button.
5. In the Available Updates window, select the Hotfix from the list and click Install Update. Once the Hotfix has been installed, it will move to the Installed Updates tab.
During patch installation process 2 scripts will be loaded to the system:
a./usr/share/perl5/update_https_module.pl
b ./usr/share/perl5/update_https_module_revert.pl
First script will be run automatically during the patch installation and second one will have to be run by TAC support technician as it requires root access (only when a revert is needed) .
A"dummy" commit after running the patch is needed to apply changes.
Patch installation on SWG v11.0:
First of all we do recommend to upgrade to SWG 11.5 and apply the above hotfix. However if this is not possible please follow below instructions.
This Hotfix must be installed by the SWG administrator on top of SWG 11.0. ManagementHotfix 08-01 for SWG 11.0 must be applied before applying this hotfix. This Hotfix restarts the Scanning Server and will therefore impact user Web access for some minutes.
Any future Management hotfixes applied to the Policy Server will revert this change. This hotfix cannot be reapplied afterwards.
After any future migration to SWG version 11.5, the string affected by this hotfix will not be recognized and the system will downgrade to a WEAK cipher list.For each device, the Allow Weak Ciphersuites check box in Devices> HTTPS > Advanced tab will be updated automatically and should be unchecked to return to usage of strong ciphers only.
Inaddition, Logjam Hotfix CVE-2015-4000 for SWG 11.5 must be applied after the migration to version 11.5.
To install this Hotfix (if you have already downloaded the Hotfix file, ignore steps 1-4):
1. For each device under Devices, select HTTPS and in the Advanced tab,uncheck the Allow Weak Ciphersuites check box.
2. Download the Hotfix from the FTP site to your local desktop ( hotfix is also attached to this KB article). Note that you can verify the Hotfix content using the md5 utility against the md5 file from the FTP.
3. In the Management Console, navigate to Settings > Updates > Updates Management.
4. Click Import Updates at the lower right of the screen.
5. In the Local Update Import window that opens, browse to the Hotfix fup file on your desktop; select it and click Upload in the window. The Hotfix will appear in the Available Updates window. If it does not appear right away, click the Refresh button.
6. In the Available Updates window, select the Hotfix from the list and click Install Update. Once the Hotfix has been installed, it will move to the Installed Updates tab.
Notes:
If the system must be reverted back to support EDH, contact Trustwave Support at tac@trustwave.com.