← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:83875 · CWE-310 · Disclosed 2015-05-20

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is an old padlock with a known weak keyway, not an unlocked front door

Tenable plugin 83875 is flagging a configuration weakness, not a host-takeover bug. Any TLS service on TLS 1.2 or earlier that will negotiate finite-field DHE with a Diffie-Hellman modulus of 1024 bits or less can fall into scope, and the highest-risk case is reuse of common 1024-bit groups or support for legacy DHE_EXPORT paths. There is no neat product-version boundary here: the affected range is essentially whatever service configuration still offers weak DHE.

Tenable calling this LOW is basically right. Logjam sounds dramatic because the research was important, but in enterprise patch triage this is not commodity unauthenticated RCE; it requires an active man-in-the-middle position, depends on the target still offering weak DHE, and usually ends in session decryption/tampering, not system compromise. The severity only climbs if the finding sits on high-value edge systems like legacy VPN, mail, or admin portals where an on-path attacker is plausible.

"Real issue, but not a fire drill: Logjam needs an on-path attacker and a legacy weak-DHE endpoint."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get on path with bettercap or equivalent MITM tooling

The attacker first needs a position between client and server: hostile Wi-Fi, ARP spoofing on an internal segment, compromised proxy, malicious ISP path, or rarer routing manipulation. Without that position, Logjam does nothing. This is the dominant friction point and the main reason this is not a top-tier patch emergency.
Conditions required:
  • Attacker has on-path network position
  • Traffic to the weak TLS service is reachable through that path
Where this breaks in practice:
  • Modern enterprises usually segment admin traffic and terminate edge TLS through managed devices
  • Getting on path often already implies another compromise or privileged network vantage
Detection/coverage: No vulnerability scanner sees this step directly. Detect with NAC, switch telemetry, rogue AP monitoring, ARP inspection, proxy logs, and network IDS.
STEP 02

Force or negotiate weak finite-field DHE during handshake

Using the Logjam technique documented by the weakdh.org researchers, the attacker targets servers that still allow DHE_EXPORT or weak DHE parameters. Nessus 83875, nmap --script ssl-dh-params, and SSL testing tools reliably detect this server-side prerequisite before an attacker does.
Conditions required:
  • Target service supports DHE_EXPORT or DHE with modulus <=1024 bits
  • Client and server are using pre-TLS 1.3 negotiation behavior relevant to the weak path
Where this breaks in practice:
  • Many modern services default to ECDHE or TLS 1.3 and never expose this path
  • Browsers and hardened clients increasingly reject short DH groups
Detection/coverage: Strong scanner coverage. Tenable 83875, SSL Labs, and Nmap ssl-dh-params catch the weak parameter issue well.
STEP 03

Break the weak group with precomputation using CADO-NFS-style math

For 512-bit export groups, the original researchers demonstrated practical attacks; for common 1024-bit groups, the research argues nation-state-level precomputation is the meaningful threat model. If the server reuses a common 1024-bit prime, the expensive work can be amortized across many targets using that same group. That is why reused built-in DH groups are worse than merely '1024-bit once.'
Conditions required:
  • Weak or commonly reused DH group is in use
  • Attacker has sufficient compute/resources for the target group size
Where this breaks in practice:
  • Commodity criminals generally do not invest in 1024-bit finite-field precomputation
  • Unique 2048-bit groups or ECDHE kill this step
Detection/coverage: Very poor direct detection. You usually only see the prerequisite misconfiguration, not the math attack itself.
STEP 04

Read or tamper with the intercepted TLS session

After the handshake is weakened and the shared secret recovered, the attacker can decrypt traffic and potentially modify session contents in transit. This is serious for credentials, mail, admin panels, and sensitive APIs, but it is still session compromise, not host-level code execution or persistence.
Conditions required:
  • Successful MITM and successful downgrade/cryptanalysis
  • Target session carries data worth intercepting or altering
Where this breaks in practice:
  • Application-layer controls like HSTS, certificate pinning, MFA, and signed transactions can reduce practical follow-on abuse
  • Blast radius is bounded to the intercepted sessions and paths
Detection/coverage: Mostly indirect: TLS downgrade anomalies, cert warnings, proxy mismatches, user reports, and application auth irregularities.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusThe original weakdh.org team said the attack likely had not been widely exploited in the wild; I found no reviewed-source evidence of current widespread commodity exploitation.
Proof-of-concept availabilityYes. The researchers published public Logjam PoC demos and a full paper at weakdh.org. Detection tooling is also widely available via Nessus and Nmap.
EPSSTenable and CVE Details currently surface an EPSS around 0.937 / 93.7% with a near-top percentile. Treat that as prevalence/history signal, not proof this is a modern mass-exploitation favorite.
KEV statusI found no CISA KEV listing in the reviewed materials for CVE-2015-4000; what did surface from CISA was the older 2015 bulletin.
CVSS vector reality checkCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N is directionally fair: high attack complexity is the real story because the attacker needs an active MITM path and compatible weak TLS behavior.
Affected rangeAny service negotiating TLS 1.2 or earlier with finite-field DHE and a DH modulus <=1024 bits. The plugin is configuration-driven, not tied to one vendor build train.
Fixed stateThere is no single patched version for the server-side condition. The durable fix is to disable export suites, prefer ECDHE/TLS 1.3, or generate unique 2048-bit+ DH parameters. OpenSSL also added client-side hardening in the 1.0.2b / 1.0.1n era.
Scanning / exposure dataHistorically, the researchers estimated that breaking the most common 1024-bit prime would expose passive eavesdropping against 18% of the Top 1M HTTPS domains at the time, and CVE Details surfaces 2,387 affected IPs from Shodan-backed exposure data. That is a legacy-tail problem, not evidence of broad modern enterprise edge exposure.
DisclosureCVE-2015-4000 was assigned on 2015-05-20 following the Logjam disclosure.
Researchers / orgsThe work came from researchers across CNRS, Inria, Microsoft Research, Johns Hopkins, University of Michigan, and University of Pennsylvania.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to LOW (3.0/10)

The decisive friction is the attacker position requirement: Logjam is only useful once the adversary is already on path to the traffic. That sharply limits reachable population and turns this from a scary cryptography headline into a legacy-session-risk issue rather than a fleet-wide emergency.

HIGH Severity bucket for enterprise patch prioritization
MEDIUM Current exploitation prevalence outside niche/high-capability adversaries

Why this verdict

  • On-path MITM is mandatory: this is not internet spray-and-pray. The attacker already needs network vantage such as rogue Wi-Fi, LAN spoofing, proxy control, or upstream path influence.
  • The exposed population is narrower every year: only pre-TLS 1.3 services still offering finite-field DHE at <=1024 bits are in scope, while many modern stacks default to ECDHE or reject weak groups outright.
  • Impact is session compromise, not host compromise: even when exploitation works, the usual result is decrypted or modified traffic for intercepted sessions, not unauthenticated RCE, persistence, or lateral movement by itself.

Why not higher?

There is no reviewed-source evidence here of KEV listing or broad current commodity exploitation, and the attack chain has stacked prerequisites: weak server config, compatible client behavior, and an active MITM position. That is too much friction for HIGH, let alone CRITICAL, in a 10,000-host patch queue.

Why not lower?

This is still a real cryptographic weakness, not scanner trivia. If the endpoint is internet-facing and carries credentials, admin traffic, or sensitive mail/API sessions, a capable on-path attacker can turn the weakness into confidentiality and integrity loss, so IGNORE would be too casual.

05 · Compensating Control

What to do — in priority order.

  1. Disable finite-field DHE where you can — Prefer ECDHE and TLS 1.3 on external services so the weak-DH path simply does not exist. For a LOW verdict there is no formal mitigation SLA; do this in your normal crypto-hardening cycle, but prioritize any internet-facing admin, VPN, mail, or identity endpoints first.
  2. Regenerate DH parameters at 2048 bits or higher — If a legacy service must keep finite-field DHE, generate unique 2048-bit+ DH params instead of shipping vendor defaults or common groups. Again, there is no noisgate mitigation deadline for LOW; fold it into the next service config maintenance window.
  3. Fence legacy weak-DHE services behind managed paths — Put the unavoidable exceptions behind VPN, reverse proxy, NAC, or internal-only access to make the MITM prerequisite much harder to satisfy. For LOW, this is backlog hygiene rather than emergency action, but it is worth doing for high-value administrative systems.
What doesn't work
  • Simply rotating the TLS certificate does not fix weak Diffie-Hellman parameters.
  • Blindly upgrading the crypto library alone may not help if the service configuration still offers weak or reused DH groups.
  • Relying on 'internal only' as the sole protection is weak reasoning; Logjam becomes more plausible after an attacker gets internal network foothold.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or jump box that can reach the target service over the network. Invoke it as ./check_logjam.sh host.example.com 443; no elevated privileges are needed, but you need outbound connectivity to the target and openssl installed.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_logjam.sh
# Purpose: check whether a TLS service negotiates finite-field DHE with a modulus <= 1024 bits.
# Usage: ./check_logjam.sh <host> <port>
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=USAGE/DEPENDENCY ERROR

set -u

HOST="${1:-}"
PORT="${2:-}"

if [[ -z "$HOST" || -z "$PORT" ]]; then
  echo "Usage: $0 <host> <port>"
  exit 3
fi

if ! command -v openssl >/dev/null 2>&1; then
  echo "UNKNOWN - openssl not found"
  exit 3
fi

# Try to force a DHE handshake while lowering local security level enough
# to observe weak DH parameters if the server still offers them.
OUTPUT="$(printf '' | openssl s_client -connect "${HOST}:${PORT}" -servername "$HOST" -tls1_2 -cipher 'EDH:@SECLEVEL=0' 2>&1)"

# If the server negotiated finite-field DH, OpenSSL 1.0.2+ usually prints:
#   Server Temp Key: DH, 1024 bits
TEMP_KEY_LINE="$(printf '%s\n' "$OUTPUT" | grep -E 'Server Temp Key: DH, [0-9]+ bits' | head -n1 || true)"

if [[ -n "$TEMP_KEY_LINE" ]]; then
  BITS="$(printf '%s\n' "$TEMP_KEY_LINE" | sed -E 's/.*DH, ([0-9]+) bits.*/\1/')"
  if [[ "$BITS" =~ ^[0-9]+$ ]]; then
    if (( BITS <= 1024 )); then
      echo "VULNERABLE - negotiated finite-field DH with ${BITS}-bit modulus"
      exit 1
    else
      echo "PATCHED - negotiated finite-field DH with ${BITS}-bit modulus"
      exit 0
    fi
  fi
fi

# If the DHE handshake failed because the server does not offer DHE at all,
# that is PATCHED for this specific Logjam-style weak-DH check.
if printf '%s\n' "$OUTPUT" | grep -Eqi 'handshake failure|no shared cipher|no cipher match|sslv3 alert handshake failure'; then
  echo "PATCHED - server did not negotiate DHE for this probe"
  exit 0
fi

# If we reached a certificate and session but saw no finite-field DH line,
# the server may be using ECDHE/RSA-only ciphers or the local OpenSSL is too old
# to expose the temporary key details.
if printf '%s\n' "$OUTPUT" | grep -Eqi 'BEGIN CERTIFICATE|Certificate chain|SSL-Session:'; then
  echo "UNKNOWN - handshake succeeded but DH size was not exposed; verify with nmap --script ssl-dh-params or a newer openssl"
  exit 2
fi

echo "UNKNOWN - could not determine DH parameter strength"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, separate these findings into internet-facing high-value endpoints (VPN, web admin, mail, identity, TLS-terminating proxies) versus everything else. For a LOW verdict, the noisgate mitigation SLA is no SLA and the noisgate remediation SLA is also backlog hygiene with no fixed deadline, so this is not a stop-the-world patch item; still, close any exposed edge exceptions in your next TLS hardening change window and let the remaining internal/legacy cases ride the normal cleanup backlog.

Sources

  1. Tenable Nessus Plugin 83875
  2. NVD CVE-2015-4000
  3. Tenable CVE page with EPSS
  4. Weak Diffie-Hellman and the Logjam Attack
  5. Logjam attack proof-of-concept demos
  6. WeakDH deployment guide
  7. OpenSSL guidance on Logjam
  8. CISA 2015 vulnerability bulletin
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.