Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

At Risk to Logjam

by David Schwalenberg
June 23, 2015

At Risk to Logjam Dashboard Screenshot

The Logjam attack (CVE-2015-4000) exploits a flaw in the TLS protocol that allows a man-in-the-middle attacker to downgrade the cryptography on vulnerable TLS connections, allowing the attacker to read and modify data sent over the connection. The Logjam attack affects all web browsers and any server that still supports weak export-grade cryptography. This dashboard assists organizations with finding systems that are vulnerable to the Logjam attack so that they can be patched and properly configured.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends.

The dashboard requirements are:

  • SecurityCenter 4.8.2
  • Nessus 6.3.4
  • PVS 4.2.0
  • LCE 4.4.1

The components in this dashboard primarily use active detections, passive detections, and event-based detections based on the CVE string to search for Logjam attack vulnerabilities. However, the Potentially at Risk Subnets component provides a list of all subnets containing systems that are using the TLS protocol. Since the Logjam attack makes use of a flaw in TLS, any applications using that protocol on the noted systems (such as web browsers, web and mail servers, and custom applications) are potentially at risk. These applications should be investigated, fully patched, and correctly configured.

The Patches Applied Status component reports progress on mitigating Logjam attack vulnerabilities. The "Detected" row displays hosts and vulnerabilities with the CVE within the cumulative vulnerability database. The "Patched" row also uses the CVE, but it searches within the mitigated vulnerability database. When a host is scanned, the scan results are stored in the cumulative database, where current vulnerabilities are stored. When the host is scanned again, if the vulnerability is no longer present, it is considered mitigated and the results are moved to the mitigated database. As mitigation efforts proceed, the counts of hosts and vulnerabilities in this component should move from the Detected row to the Patched row.

SecurityCenter Continuous View (CV) provides organizations with proactive continuous monitoring to identify the newest threats across the entire enterprise. SecurityCenter CV enables the organization to react to advanced threats, zero-day vulnerabilities and new forms of regulatory compliance. SecurityCenter CV supports more technologies than any other vendor, including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure.

Listed below are the included components:

  • At Risk to Logjam - Vulnerable Subnets - Using the Logjam CVE to match vulnerabilities, this table provides a list of subnets and the count of systems that are confirmed vulnerable to the Logjam attack. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify data sent over the connection. The table shows the affected subnets, total number of vulnerabilities, and a summary bar that is broken down by severity.
  • At Risk to Logjam - Potentially At Risk Subnets (TLS Traffic Negotiation Detection) - This table provides a list of subnets and the count of systems that are using the TLS protocol. Since the Logjam attack makes use of a flaw in TLS, any systems using that protocol are potentially at risk. Make sure that all applications that use TLS on the noted systems (such as web browsers, web and mail servers, and custom applications) are fully patched and correctly configured.
  • At Risk to Logjam - Patches Applied Status - This matrix reports progress on mitigating Logjam attack vulnerabilities. The "Detected" row displays hosts and vulnerabilities using the Logjam CVE within the cumulative vulnerability database. The "Patched" row also uses the Logjam CVE, but it searches within the mitigated vulnerability database. When a host is scanned, the scan results are stored in the cumulative database, where current vulnerabilities are stored. When the host is scanned again, if the vulnerability is no longer present, it is considered mitigated and the results are moved to the mitigated database. As mitigation efforts proceed, the counts of hosts and vulnerabilities in this component should move from the Detected row to the Patched row.
  • At Risk to Logjam - Vulnerability Summary - Using the Logjam CVE to match vulnerabilities, this table provides a list of Logjam attack vulnerabilities sorted by severity. This provides a quick overview of the current vulnerabilities on the network. The analyst will need to drill down into each vulnerability to fully understand the associated risk. The table is sorted by severity level, showing the critical and high severity vulnerabilities at the top.
  • At Risk to Logjam - Detection from Log Analysis - The Log Correlation Engine (LCE) collects and correlates log events to detect network activity and anomalies. When the LCE detects an event that indicates that a weak export cipher suite is in use (a potential Logjam attack), it triggers an event vulnerability that includes the Logjam CVE. This component provides a count of hosts on which this vulnerability was detected and a count of the vulnerability detections.
  • Where is the POODLE - SSL Plugins - All the plugins that refer to SSL or certificates have been grouped into these indicators. An indicator will not be highlighted if no matches are found; however, if a match is found, the color will change. If all the plugins applied to the indicator have a severity of info or low, then the indicator will turn blue. If any of the selected plugins are medium, high, or critical, the color of the indicator will change to yellow, orange, or red accordingly. However, if there is a mix of info, low, medium, and high, the indicator will be purple. Indicators with a critical severity plugin will always be red.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training