What we’ve done to protect against VENOM and Logjam

In the last 7 days the internet community has seen two quite significant (but unrelated) security vulnerabilities made public; affectionately named “VENOM”  (CVE-2015-3456) and “Logjam”.

We’ve taken steps to protect our customers from both.

“VENOM”  (CVE-2015-3456) is a vulnerability affecting the vast majority of Cloud and VPS providers such as ourselves. It is a flaw in the virtualisation software used by most providers, called “qemu” which could potentially allow an administrative user on one VPS to access the memory area of other VPS running on the same physical host. Due to the critical nature of this vulnerability, we applied the fix made available for qemu across all of our physical VPS hosts and, very soon after the vulnerability was made public, all customer VPS were either restarted with a new patched qemu instance or live migrated to a new, patched qemu instance, and thus no longer vulnerable.

“Logjam” is a set of weaknesses identified by security researchers in Diffie-Hellman for TLS, a cryptographic algorithm fundamental to many internet protocols including HTTPS. This research was made public today. The weaknesses allows attackers to downgrade vulnerable TLS connections (including HTTPS) to use 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection.  We immediately assessed our web servers which rely on HTTPS to encrypt the Client Area and VPS Control Panel, and found that they were not vulnerable to the worst of the weaknesses as we already configured them using a strong set of cipher suites when they were originally deployed, and have hardened the configurations further over the last couple of years as new vulnerabilities have surfaced (such as Heartbleed and Poodle).  As a result we had already disabled export cipher suites, which are vulnerable to Logjam attacks, a long time ago.  However, we found our web servers were vulnerable to one of the weaknesses the Logjam researchers found, which is that most web servers use the same prime numbers for Diffie-Hellman key exchange, making them potentially vulnerable to eavesdropping by a nation state. As a result, we followed their advice and generated a strong, unique Diffie Hellman Group on all our web servers and restarted them, closing the vulnerability.  So our customers can be reassured that their communications with us are extremely secure, as we have always taken the security of our HTTPS protected website areas extremely seriously.

More information about VENOM can be found here, and for information about Logjam see here.

Leave a Reply