My next class:

SSLv3 POODLE Vulnerability Official Release

Published: 2014-10-14. Last Updated: 2014-10-15 14:03:16 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Finally we got an official announcement. For all the details, jump straight to the original announcement [1]. Below see the TL;DR; version:

The problem is limited to SSLv3. SSLv3 is often considered similar to TLSv1.0, but the two protocols are different.

SSLv3 had issues in the past. Remember the BEAST attack? It was never resolved (other then moving to TLS 1.1/2). The only alternative was to use a stream cipher like RC4, which had its own problems.

But this POODLE issue is different. With block ciphers, we have a second problem: What if the block to be encrypted is too short? In this case, padding is used to make up for the missing data. Since the padding isn't really considered part of the message, it is not covered by the MAC (message authorization code) that verified message integrity.

So what does this mean in real live? The impact is similar to the BEAST attack. An attacker may either play MitM, or may be able to decrypt parts of a message if the attacker is able to inject data into the connection just like in the BEAST attack. The attack allows one to decrypt one byte at a time, if the attacker is able to inject messages right after that byte that include only padding.

What should you do: Disable SSLv3. There is no patch for this. SSLv3 has reached the end of its useful life and should be retired. 

This isn't a "patch now". Give it some time, test it carefully, but get going with it. The other problem is that this is a client and a server issue. You need to disable SSLv3 on either. Start with the servers for highest impact, but then see what you can do about clients.

The other option to "fix" this problem is to use SSL implementations that take advantage of the TLS_FALLBACK_SCSV feature. This feature notifies the other side that you first tried the stronger cipher. This way, they can reject the downgrade attempt that may have been introduced by a MitM attack. But it isn't clear which implementations use this feature at this point, and which don't. A patch for OpenSSL 1.0.1 was released earlier today implementing TLS_FALLBACK_SCSV

FAQ

To test if your server is vulnerable: Use https://ssltest.com

To test if your client is vulnerable: We setup a test page at https://www.poodletest.com . If you can connect, then your client supports SSLv3 .

So far, we tested :

  Firefox 32 IE 11 Safari 7.1 Chrome 37 Opera
Windows 7  ok vuln vuln vuln  
OS X 10.9.5 ok N/A vuln vuln  
iOS 8.0.2 vuln N/A vuln vuln vuln

To turn off SSLv3 support in Internet Explorer 11:

Setting -> Internet Options -> Advanced Tab -> Uncheck "SSLv3" under "Security".

 

[1] https://www.openssl.org/~bodo/ssl-poodle.pdf

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)
My next class:

Comments

See also the Mozilla announcement:
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
I already have Firefox 32, how come the tester says I'm still vulnerable?
Oops! Turning-off SSLV3 in Internet Explorer 11 (under Windows 7 Professional) causes the "online court services" web-site of one very-western Canadian Attorney-General branch of that provincial government to generate a message that SSLV3 needs to be turned-on before one can search for civil court proceedings or disputed parking tickets or criminal court proceedings.

Sigh.

Diary Archives