POODLE = Padding Oracle On Downgraded Legacy Encryption
B.E.A.S.T (Browser Exploit Against SSL TLS)
Affected systems:
Netscape 3.0 ssl tls Netscape affected system: tls Netscape 1.2 Netscape 1.1 tls tls Netscape 1.0
Description: CVE (CAN) ID: CVE-2014-3566
SSL3.0 is obsolete and no security protocol, has been TLS 1.0, TLS 1.1, TLS 1.2 substitution, for compatibility reasons, most of the TLS implementation is still compatible SSL3.0.
Order generic considerations, the current versions of most browsers support SSL3.0, handshake phase contains a version of the TLS protocol negotiation procedure, in general, the client and the latest version of the protocol server will be used. When the handshake phase of its server version of consultations carried out, first offer its latest version of the support agreement, if the handshake fails, then try to negotiate an older version of the protocol. An attacker able to implement the-middle attack by the affected versions of the browser and the server side using the newer protocol negotiated connection fails, you can successfully downgrade attack, allowing the client and server communicate using insecure SSL3.0, At this time, due to the use of SSL 3.0 CBC block encryption implementations exist vulnerability, an attacker can successfully break the encryption SSL connection information, such as access to the user cookie data. This attack is called POODL attack (Padding Oracle On downgraded Legacy Encryption).
This vulnerability affects the majority of SSL server and client, extensive sphere of influence. If you want to use, but the attacker is successful, need to be able to control data (Executive middle attack) between the client and the server.
On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol was disclosed. This vulnerability, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack.
Although SSLv3 is an older version of the protocol which is mainly obsolete, many pieces of software still fall back on SSLv3 if better encryption options are not available. More importantly, it is possible for an attacker to force SSLv3 connections if it is an available alternative for both participants attempting a connection.
The POODLE vulnerability affects any services or clients that make it possible to communicate using SSLv3. Because this is a flaw with the protocol design, and not an implementation issue, every piece of software that uses SSLv3 is vulnerable.
To find out more information about the vulnerability, consult the CVE information found at CVE-2014-3566.
What is the POODLE Vulnerability?
The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.
Who is Affected by this Vulnerability?
This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited.
Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc.
How Does It Work?
In short, the POODLE vulnerability exists because the SSLv3 protocol does not adequately check the padding bytes that are sent with encrypted messages.
Since these cannot be verified by the receiving party, an attacker can replace these and pass them on to the intended destination. When done in a specific way, the modified payload will potentially be accepted by the recipient without complaint.
An average of once out of every 256 requests will accepted at the destination, allowing the attacker to decrypt a single byte. This can be repeated easily in order to progressively decrypt additional bytes. Any attacker able to repeatedly force a participant to resend data using this protocol can break the encryption in a very short amount of time.
How Can I Protect Myself?
Actions should be taken to ensure that you are not vulnerable in your roles as both a client and a server. Since encryption is usually negotiated between clients and servers, it is an issue that involves both parties.
Servers and clients should should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fallback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.
How To Protect Common Applications
Below, we’ll cover how to disable SSLv3 on some common server applications. Take care to evaluate your servers to protect any additional services that may rely on SSL/TCP encryption.
Because the POODLE vulnerability does not represent an implementation problem and is an inherent issue with the entire protocol, there is no workaround and the only reliable solution is to not use it.
Apache
Use the following command in the mod_ssl configuration file to disable SSLv2 and SSLv3:
SSLProtocol all -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
restart Apache
IBM IHS
SSLProtocolDisable SSLv2 SSLv3
restart ibm ihs
How to test the sslv3 enabled
openssls_client -connect <webserver>:443 -ssl3
Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
restart Nginx
IIS
IIS:
Find the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
of the registry entry usually contains the following subkey:
* PCT 1.0
* SSL 2.0
* SSL 3.0
* TLS 1.0
are reserved for each registry entry The agreement applies to the relevant information. You can disable any of these agreements on the server. To do this,
create a new DWORD value in the protocol SSL Server 3.0’s child. Set the DWORD value to “00 million.”
Browser Prohibited Method:
IE:
“Tools” ->”Internet Options” -> “Advanced”, uncheck “Use SSL 3.0” check box.
Chrome:
Copy a shortcut usually open Chrome browser on the new shortcut, right-click, enter the property,
at the end of the “target” in the field of space after entering the following command –ssl-version-min = tls1
FireFox:
In the address bar, enter “about: config”, then security.tls.version.min adjusted to 1.
MySQL
openssl ciphers -v ‘DEFAULT’ | awk ‘/SSLv3 Kx=(RSA|DH|DH(512))/ { print $1 }’
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
AES256-SHA
CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
mysql -se “SHOW STATUS LIKE ‘Ssl_cipher_list’” | sed ‘s/:/n/g’ | sed ‘s/Ssl_cipher_listss//g’ |
while read sspec;
do SPEC=openssl ciphers -v “$sspec” 2>/dev/null | grep -v SSLv3 | awk ‘{print $1}’;
[[ “$sspec” == “$SPEC” ]] && mysql –ssl-cipher=$sspec -e QUIT 2>/dev/null && echo “$sspec OK”;
done
HAPROXY
To disable SSLv3 in an HAProxy load balancer, you will need to open the haproxy.cfg file.
This is located at /etc/haproxy/haproxy.cfg:
nano /etc/haproxy/haproxy.cfg
In your front end configuration, if you have SSL enabled, your bind directive will specify the public IP address and port. If you are using SSL, you will want to add no-sslv3 to the end of this line:
frontend name
bind public_ip:443 ssl crt /path/to/certs no-sslv3
Save and close the file.
You will need to restart the service to implement the changes:
service haproxy restart
OpenVPN VPN Server
Recent versions of OpenVPN actually do not allow SSLv3. The service is not vulnerable to this specific problem, so you will not need to adjust your configuration.
See this post on the OpenVPN forums for more information.
Postfix SMTP Server
If your Postfix configuration is set up to require encryption, it will use a directive called smtpd_tls_mandatory_protocols.
You can find this in the main Postfix configuration file:
nano /etc/postfix/main.cf
For a Postfix server set up to use encryption at all times, you can ensure that SSLv3 and SSLv2 are not accepted by setting this parameter. If you do not force encryption, you do not have to do anything:
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
Save your configuration. Restart the service to implement your changes:
service postfix restart
Dovecot IMAP and POP3 Server
In order to disable SSLv3 on a Dovecot server, you will need to adjust a directive called ssl_protocols. Depending on your distributions packaging methods, SSL configurations may be kept in an alternate configuration file.
For most distros, you can adjust this directive by opening this file:
nano /etc/dovecot/conf.d/10-ssl.conf
Inside, if you are using Dovecot 2.1 or higher, set the ssl_protocols directive to disable SSLv2 and SSLv3:
ssl_protocols = !SSLv3 !SSLv2
If you are using a version of Dovecot lower than 2.1, you can set the ssl_cipher_list to disallow SSLv3 like this:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3
Save and close the file.
Restart the service in order to implement your changes:
service dovecot restart
Recent Comments