Wednesday, October 15, 2014

Security Vulnerability Alert: POODLE SSLv3.0 vulnerability

Description:
On 14/10, Google researchers had release a vulnerability in SSL 3.0, which could allowed malicious user to decrypt the contents that was supposedly encrypted when visiting SSL enabled websites.  Named POODLE attack ( Padding Oracle on Downgraded Legacy Encryption), a padding attack that targets CBC ciphers in SSL V3.

A detail analysis report of the POODLE exploit by the Google researchers can be found here: https://www.openssl.org/~bodo/ssl-poodle.pdf

Impact
Websites that support SSL V3.0 and CBC cipher mode chaining are vulnerable to the attacks, According to the report, The flaw allows attackers to steal secure HTTP cookies and headers, among other sensitive data.

Mitigation
  • Google researchers recommend that support for SSL v3.0 be disable either on the end user browser or server end or both as well as others that rely on downgraded connections ( Warning : Doing this may “break” connectivity to web applications that only able to support up to SSL V3.0  and don’t support TLS 1.0, TLS 1.1, TLS 1.2 )
  • If the above is not possible, Google recommends implementing support of “TLS FALLBACK SCSV” the Transport Layer Security Signalling Cipher Suite Value that "prevents protocol downgrade attacks." https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

    “This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks," explained Möller.”
More Information
  1. http://thenextweb.com/google/2014/10/15/web-encryption-vulnerability-opens-encrypted-data-hackers/
  2. http://googleonlinesecurity.blogspot.sg/2014/10/this-poodle-bites-exploiting-ssl-30.html
  3. http://blog.erratasec.com/2014/10/some-poodle-notes.html
  4. http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/
  5. Mozilla Blog - https://blog.Mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  6. Microsoft - Disabling SSL 3.0 on Servers - http://support.Microsoft.com/kb/187498
  7. Mozilla Add-On - Disabling SSL 3.0 on Mozilla Browser - https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

No comments: