Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Bark and Bite? The Essential Facts on the POODLE Vulnerability

Another high-profile vulnerability has been unearthed. Following the unwelcome emergence of Heartbleed and Shellshock, this new flaw - known as POODLE - can lead to theft of data during supposedly private communications. The weakness resides in the legacy encryption protocol SSL version 3.0, a nearly two-decade-old security protocol that was designed to permit client and server applications to communicate over the web without the possibility of data theft, eavesdropping, tampering or modification.

Before we dive into the threat details, you should know the actions Trustwave has taken to help protect you. Trustwave Vulnerability Management has been updated to help detect web servers and services that use SSL 3.0. We have also investigated our own systems to reconfigure any affected systems. Our websites and portals, including TrustKeeper, have either already been reconfigured or verified as not vulnerable. Some products may require manual configuration changes to disable SSL 3.0. Check the Trustwave Support Knowledgebase for more information or contact Trustwave support.

Let's now bring in one of Trustwave's resident threat experts, Karl Sigler, to help us better understand how this vulnerability operates and what the potential fallout is.

Dan Kaplan, Trustwave online content manager: Hi Karl. So why is POODLE even an issue? Haven't most organizations updated beyond SSL 3.0?

Karl Sigler, Trustwave threat intelligence manager: You would think so considering the age of SSL 3.0 and previous vulnerabilities discovered in the protocol. SSLv3.0 has been superseded by TLS versions 1.0-1.2, with each version adding new security features and bug fixes. Unfortunately, SSLv3.0 is still implemented on many servers for support of legacy clients, like Internet Explorer 6.

DK: OK so how did this bug get its name?

KS: The actual attack is a padding oracle attack on CBC (cipher block chaining) encryption that can leak data to the attacker - hence why this SSL vulnerability is memorably named POODLE (Padding Oracle on Downgraded Legacy Encryption). Padding oracle attacks are a specific attack on encrypted data that uses "padding" to leak information from the encrypted channel. It's similar to older attack techniques like Lucky Thirteen and BEAST, which were disclosed in the past couple of years.

I should note that individual SSL certificates are not affected by the POODLE vulnerability, and customers do not need to replace any.

DK: How does an attack work?

KS: The attack requires a man-in-the-middle to force the client and server connection to fall back to SSL v3.0. Both the client and the server must support SSLv3.0, but this is a common default for most servers and web browsers. After the connection has been downgraded to SSLv3.0, the attack works on the aforementioned known weakness in CBC encryption that can leak data to the attacker.

In an attempted attack scenario, the intruder would insert himself into the session using JavaScript code injected into the client's web browser, either by exploiting a browser flaw, forcing the user to a malicious web page or using a cross-site scripting vulnerability. Again, this is the exact same technique used by BEAST, and it isn't always successful. There are a number of variables involved.

DK: What is the impact on the user?

KS: The attack would be typically used to leak session cookie information in order to hijack a victim's encrypted session to an "HTTPS" protected site

DK: How can users or organizations protect themselves?

KS: There is no patch for this vulnerability and the only way to prevent the vulnerability is to disable SSL v3.0 completely.

As of now, we haven't seen proofs-of-concept (PoC) taking advantage of this defect, although there's no doubt people are racing to get theirs done and posted. No active attacks have been seen either, but this type of client, man-in-the-middle attack is hard to detect. At any rate, until a stable PoC is released, I doubt there will be any major exploitation. Even afterward, exploitation will likely be confined to public networks like cybercafés and libraries.

DK: Who needs to disable SSL v3.0? And any other advice to avoid falling victim to an attack?

KS: I would say all web servers or other services using SSL should disable SSL v3.0 unless there is a very specific reason to keep it. All modern web browsers are capable of negotiating the more up-to-date TLS encryption protocol. The only common web browser that only accepts SSL v3.0 is Internet Explorer 6, which is close to 15 years old. It doesn't make sense for web admins to risk the security of all of their users for the sake of a very small percentage of legacy web browsers.

As an end-user, most web browsers allow you to disable SSL v3.0 locally from your configuration settings. Disabling SSL v3.0 locally will definitely keep POODLE at bay.

DK: This appears to be the latest in a sad procession of major internet bugs in recent months that seek to rattle the underlying foundation of the web. Is this similar to, say, Heartbleed?

KS: Unlike Heartbleed, this attack cannot be performed directly against SSL servers. An attacker would need to be in between a victim and server during an active session in order to pull off this attack - and it attacks the client's data, not the web server itself.

Update 12/10/14: A new variant on POODLE has emerged. It does not require the attacker to downgrade the protocol and works on specific implementations of the most current specification, TLS 1.2. Currently this new POODLE variant only seems to affect the custom encryption libraries implemented by load balancers sold by two manufacturers. These load balancers are often used in a web environments making them vulnerable.

Latest Trustwave Blogs

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More