CVE-2015-4000

Name of the Vulnerable Software and Affected Versions TLS protocol versions 1.2 and earlier

Description The issue concerns a problem with the TLS protocol where a DHE EXPORT ciphersuite is enabled on a server but not on a client, allowing man-in-the-middle attackers to conduct cipher-downgrade attacks. This is achieved by rewriting a ClientHello with DHE replaced by DHE EXPORT and then rewriting a ServerHello with DHE EXPORT replaced by DHE, also known as the "Logjam" issue. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher, potentially allowing them to recover the session key and modify the contents of the traffic.

Recommendations For TLS protocol versions 1.2 and earlier, consider disabling the DHE EXPORT ciphersuite to prevent exploitation until a patch is available. As a temporary workaround, restrict access to servers that have DHE EXPORT enabled to minimize the risk of exploitation. Avoid using the DHE EXPORT ciphersuite in the ClientHello and ServerHello messages until the issue is resolved.