TZCERT-2014-12: VULNERABILITY ALERT
SSL 3.0 Protocol Vulnerability and POODLE Attack
Date of First Release: 11-12-2014
Source: US-CERT, Symantec, IETF
System Affected:
All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.
Overview:
The Secure Sockets Layer (SSL) 3.0 cryptograph protocol is vulnerable, a bug has been found in which an attacker could exploit and intercept the encrypted data transferred between the computers and servers.
Description:
The SSL 3.0 currently supported by most web browser, many TLS clients downgrade their cryptography protocol to SSL 3.0 when they are working with legacy servers. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.
Environments such as public Wi-Fi, Hotspots makes this attack a real problem and this type of attack falls into the Man-in-the-Middle (MITM) category.
Impact:
By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.)
Solution:
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.
Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades:
• OpenSSL 1.0.1 users should upgrade to 1.0.1j.
• OpenSSL 1.0.0 users should upgrade to 1.0.0o.
• OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks
References:
http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed
https://www.us-cert.gov/ncas/alerts/TA14-290A
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00