VN-2015-007 – Logjam

VN-2015-007 – Logjam
Vulnerability Notice
Logjam
Summary
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on
a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers
to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT
and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Background (From CVE Project)
CVE-2015-4000
Published: 6/17/2015
CVSS Severity: 2.9
Impact
Allows unauthorized modification
Logjam / Rev. [3.0], updated: 12-Aug-15
Owner: Serviceability
Effective Date: [23-Jun-2015]
Page 1 of 5
Products Potentially Affected
The following is the vulnerability status of the software products supported by Extreme Networks for this issue:
ExtremeXOS (all products)
A, B, C, D, G, I and 800 Series Fixed Switches
ExtremeWare
IDS/IPS
IdentiFi Wireless
N, K, SSA, and S Modular Switches
NetSight
NAC (IA)
Purview
Ridgeline
Security Information & Event Manager
Summit WM3000 Series
X-Series Secure Core Router
XSR (X-Pedition Security Router)
No
Yes (See Impact Details)
Yes (See Impact Details)
No
Yes (See Impact Details)
No
No
No
No
No
Investigating
Yes (See Impact Details)
Investigating
No
Impact Details
ExtremeXOS (all products)

Vulnerable: No EXOS does not support DHE_EXPORT ciphersuite, which leads to this vulnerability.
A, B, C, D, G, I and 800 Series Fixed Switches







Vulnerable Yes/ No: Yes
Vulnerable Component: SSL. RC4 Ciphers are supported
Describe conditions when component Vulnerability occurs (why/when/how):
o SSL is used only with Web management and is disabled by default.
Product version(s) affected: ALL
Workaround: Do not enable web management. Disable RC4 on browser
Target Fix Release: N/A
Target Month for Fix Release: N/A
ExtremeWare






Vulnerable: Yes
Vulnerable Component: HTTPS
Describe conditions when component Vulnerability occurs: See CVE-2015-4000
Product version(s) affected: Extremeware 7.8
Workaround: Disable HTTPS
Target Fix Release: There is no active release and will not be fixed.
Logjam / Rev. [3.0], updated: 12-Aug-15
Owner: Serviceability
Effective Date: [23-Jun-2015]
Page 2 of 5
IDS/IPS

Vulnerable: No
IdentiFi Wireless
AP2600 series of identiFi APs:
 Vulnerable: No
AP3600, AP3700 & AP3800 series of identiFi APs:
 Vulnerable: No
The identiFi wireless line of controllers include a web server that can accept requests for export-grade
cipher suites. Customers can disable the use of export grade encryption by disabling the "Enable Weak
Ciphers" option (on the "Secure Connections" page of the controller module of the wireless controller GUI).
C25, C4110, C5110, C5210, V2110:
 Vulnerable: Yes
 Vulnerable Component: web server, if "Enable Weak Ciphers" is on
 Describe conditions when component Vulnerability occurs(why/when/how):
o The identiFi wireless line of controllers is vulnerable when "Enable Weak Ciphers" is turned on.
 Product version(s) affected: all minor releases of release 9.0
 Workaround: Use the controller GUI to disable the use of "Enable Weak Ciphers"
 Target Fix Release: N/A
 Target Month for Fix Release: N/A
N, K, SSA, and S Modular Switches

Vulnerable: No
NetSight / NAC (IA) / Purview
NetSight

Vulnerable: No
NAC

Vulnerable: No
Purview
 Vulnerable: No
Ridgeline

Vulnerable: No
Security Information & Event Manager

Vulnerable: TBD
Logjam / Rev. [3.0], updated: 12-Aug-15
Owner: Serviceability
Effective Date: [23-Jun-2015]
Page 3 of 5
Summit WM3000 Series







Vulnerable: Yes
Vulnerable Component: HTTPS
Describe conditions when component Vulnerability occurs: As described in the CVE, with HTTPS.
Product version(s) affected: All
Workaround: None
Target Fix Release: TBD
Target Month for Fix Release: TBD
X-Series Secure Core Router

Vulnerable: TBD
XSR (X-Pedition Security Router)

Vulnerable: No XSR does not use OpenSSL.
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the setup of the
computer network and how the local IT team wants to address the situation. Accordingly, in addition to
updating the software as recommended in this document, the local IT team will need to analyze and address
the situation in a manner that it determines will best address the set-up of its computer network.
Update the software, identified in this Notice, in your Extreme Networks products by replacing it with the latest
releases from Extreme Networks including those listed above.
Firmware and software can be downloaded from www.extremenetworks.com/support.
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or
warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use.
Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme
Networks reserves the right to change or update this document at any time, and expects to update this
document as new information becomes available. The information provided herein is applicable to current
Extreme Networks products identified herein and is not intended to be any representation of future functionality
or compatibility with any third-party technologies referenced herein. This notice shall not change any contract
or agreement that you have entered into with Extreme Networks.
Revision History
Rev. No.
Date Modified
Description / Milestone
1.0
23-Jun-2015
First release.
2.0
25-Jun-2015
Update NetSight, NAC, Purview, IDS/IPS,
WM3000 series
Logjam / Rev. [3.0], updated: 12-Aug-15
Owner: Serviceability
Effective Date: [23-Jun-2015]
Page 4 of 5
3.0
11-Aug-2015
Logjam / Rev. [3.0], updated: 12-Aug-15
Owner: Serviceability
Update XSR and A, B, C, D, G, I
and 800 Series Fixed Switches
Effective Date: [23-Jun-2015]
Page 5 of 5
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising