Privacy and Confidentiality Notice
“ABC-J Corp” is a B2B and B2C security company. The company’s name and identity shall remain confidential and undisclosed. They have been notified of these vulnerabilities.
Since you’re a security firm it is recommended that you use an extended validation SSL certificate.
Like our friends at XYZ Mega Corp, you’re also hosting on Amazon Web Services (AWS). Since AWS provides fully managed support, the simplest option is to have AWS address these weaknesses in your configuration. As a side note, there are several references in this post to “WeakDH.org.” That site is managed by the University Of Michigan College Of Engineering.
Your SSL cert supports client connections that use 1024-bit Diffie Hellman (DH) primes. On May 20, 2015 it was published that cipher suites that support this configuration may be susceptible to passive eavesdropping from an attacker with nation-state resources.1
Run your domain name through SSLlabs to get the specifics. Also, keep your results private by checking “Do not show the results on the boards.” You want to aim for nothing less than an A+ on this SSL test!
Solution and Countermeasures
We recommend pushing updates to a staging server before modifying a live, production system. Here’s the upshot: you want to ensure the availability of your server in the event any updates cause your system to crash.
If you have an experienced Systems Administrator on staff, this vulnerability may be easily resolved by first updating your packages. It appears you may be using NGINX on Ubuntu. We prefer aptitude, so this is how we update our servers:
$ sudo aptitude update $ sudo aptitude upgrade
Depending on when you last did a package update, the above should generate and force the use of 2048-bit groups for OpenSSL. However, you’ll also want to “modernize” the cipher suites your server accepts from browsers. WeakDH.org has modern cipher suite configurations for both NGINX and Apache.
Finally, you’ll want to update and upgrade your server packages at least weekly. Your Systems Administrator should be able to set-up a cron job to run a bash script which executes these updates automatically.
What some real-life case studies? This is how Code Sport updates and locks-down SSL configurations on Apache servers. And although we have not tested this, here’s how the the folks at Leftshift updated their NGINX packages.