POODLE exemplifies a vulnerability that succeeds due to a mechanism designed for reducing security for the sake of interoperability. Such flaws call for extra care when designing systems in domains with high levels of fragmentation. In such domains graceful security degradation may become common.
Around October 28,29,2014 Google has published to the world that they had found the SSLv3 poodle vulnarability and also patched their servers. As of now, many blogs and various security related websites have posted the fix.Still putting it for record purposes.
2. Page 2 of 8
Table of Contents
What is SSLv3 vulnerability “Poodle”?..................................................................................................3
Way of exploiting the vulnerability: .....................................................................................................3
How do I detect Poodle attacks on your network?................................................................................3
Which are the applications that may be affected by this vulnerability?..................................................3
Is there any programming/development change needed? ....................................................................3
How to secure impacted web Servers?.................................................................................................4
APACHE..........................................................................................................................................4
IIS..................................................................................................................................................4
NGINX............................................................................................................................................6
How to test the vulnerability is fixed or not?........................................................................................6
Can we do something to make aware of clients about their browser’s vulnerability?..............................6
AfterFix,will there be impactonweb-applicationUsers?Whichare the impactedweb-application
Users?................................................................................................................................................8
3. Page 3 of 8
What is SSLv3 vulnerability “Poodle”?
POODLE stands for the 'Padding Oracle on Downgraded Legacy Encryption' attack. It is a new
vulnerability in SSLv3 protocol. This is old protocol which is around sunset and not many
systems are using this protocol. POODLE is a protocol-level vulnerability that can't be easily
fixed. As the POODLE vulnerability is actually in the protocol itself, this isn't something that can
be patched out like ‘ShellShock’ and ‘HeartBleed’ vulnerabilities found in OPENSSL protocol in
past.
Way of exploiting the vulnerability:
When attacker tries to access the site supporting SSLv3 using a client (browser) to use SSLv3. By
simulating a failure during the negotiation process, an attacker can force a browser and a server
to renegotiate using an older protocol, right back down to SSLv3. While renegotiation, attacker
can execute any arbitrary command on the target system.
Detailed explanation is available at https://www.openssl.org/~bodo/ssl-poodle.pdf
How do I detect Poodle attacks on your network?
We don’t have any proven way to detect poodle attacks on your network, since the most
probable attack setup involves the attacker luring the victim on their network.
Although, on the server side; we can keep watching for an inordinate amount of requests that
fail on a decryption error. Not all server software will log events for such cases, but this should
be within the possibilities of any decent IDS system.
Which are the applications that may be affected by this vulnerability?
Applications which are using openSSL protocol. In layman’s term, those are generally using
https protocol are exposed for this vulnerability.
Is there any programming/development change needed?
This is protocol level vulnerability hence no programming/development changes are needed.
However, to ensure all applications are working correctly, we need to smoke test impacted
applications.
4. Page 4 of 8
How to secure impacted web Servers?
We must disable SSL 3 on your servers. For this, follow below recommendations as per web
server.
APACHE
To disable SSLv3 on your Apache server you can configure it using the following.
SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for
SSLv2 and SSLv3. Check the config and then restart Apache.
apachectl configtest
sudo service apache2 restart
IIS
Microsoft has released a patch for this fix. Please apply the fix given at
https://support.microsoft.com/kb/187498/en-us
OR
If you want to apply the fix manually, you can follow the following steps.
This one requires some registry tweaks and a server reboot but still isn't all that bad. Microsoft
have a support article with the required information, but all you need to do is modify/create a
registry DWORD value.
HKey_Local_MachineSystemCurrentControlSetControlSecurityProviders
SCHANNELProtocols
Inside protocols you will most likely have an SSL 2.0 key already, so create SSL 3.0 alongside it if
needed. Under that create a Server key and inside there a DWORD value called Enabled with
value 0. Once that's done reboot the server for the changes to take effect.
Before Fix:
6. Page 6 of 8
NGINX
Disabling SSLv3 support on NginX is also really easy.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Similar to the Apache config above, you will get TLSv1.0+ support and no SSL. You can check the
config and restart.
sudo nginx -t
sudo service nginx restart
How to test the vulnerability is fixed or not?
You can verify all web servers using
https://www.ssllabs.com/ssltest/index.html
Please make sure that, you check “Do not show the results on the boards” checkbox.
Can we do something to make aware of clients about their browser’s
vulnerability?
Yes, we can. We can either of the ways can ask users to check at
https://www.ssllabs.com/ssltest/viewMyClient.html
We can convey these through a notice email/popup alert or any other way as suggested by
business. In addition to above, we can always ask to user to use latest browsers.
It is also possible to protect application users from POODLE by asking them to disable SSLv3
support in their browsers. This means that even if the server does offer SSLv3 support, user
browser will never use it, even during a protocol downgrade attack.
7. Page 7 of 8
FIREFOX
Firefox users can install following add-on to protect themselves.
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
CHROME
Chrome users don't have an option in the GUI to disable SSLv3 as Google removed it due to
confusion over whether SSLv3 or TLSv1 was better with one having a higher numeric value.
Instead you can add the command line flag --ssl-version-min=tls1 to enforce the use of TLS and
prevent any connection using the SSL protocol. In Windows, right click on your Chrome
shortcut, hit Properties and add the command line flag as seen in the image below.
If you use Google Chrome on Mac, Linux, Chrome OS or Android, you can follow these
instructions here.
INTERNET EXPLORER
Fixing up Internet Explorer is also pretty easy. Go to Settings, Internet Options and click on the
advanced tab. Scroll down until you see the Use SSL 3.0 checkbox and uncheck it.
8. Page 8 of 8
After Fix, will there be impact on web-application Users? Which are the
impacted web-application Users?
After disabling SSLv3 support from Web Servers, systems using IE6 and Windows XP
installations without SP3, will no longer be able to communicate with website.