Audit Scan Failure due to SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam) port:22
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
While running penetration testing scripts against Hipchat Server OVA, you may potentially run into this vulnerability.
原因
According to the Weak Diffie-Hellman and the Logjam Attack page:
The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORTciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.
ソリューション
- In Hipchat Server case, you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group.
- Please refer to the Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions.
- If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.