Another high-profile vulnerability has been unearthed. Following the unwelcome emergence of Heartbleed and Shellshock, this new flaw - known as POODLE - can lead to theft of data during supposedly private communications. The weakness resides in the legacy encryption protocol SSL version 3.0, a nearly two-decade-old security protocol that was designed to permit client and server applications to communicate over the web without the possibility of data theft, eavesdropping, tampering or modification.
Before we dive into the threat details, you should know the actions Trustwave has taken to help protect you. Trustwave Vulnerability Management has been updated to help detect web servers and services that use SSL 3.0. We have also investigated our own systems to reconfigure any affected systems. Our websites and portals, including TrustKeeper, have either already been reconfigured or verified as not vulnerable. Some products may require manual configuration changes to disable SSL 3.0. Check the Trustwave Support Knowledgebase for more information or contact Trustwave support.
Let's now bring in one of Trustwave's resident threat experts, Karl Sigler, to help us better understand how this vulnerability operates and what the potential fallout is.
Dan Kaplan, Trustwave online content manager: Hi Karl. So why is POODLE even an issue? Haven't most organizations updated beyond SSL 3.0?
Karl Sigler, Trustwave threat intelligence manager: You would think so considering the age of SSL 3.0 and previous vulnerabilities discovered in the protocol. SSLv3.0 has been superseded by TLS versions 1.0-1.2, with each version adding new security features and bug fixes. Unfortunately, SSLv3.0 is still implemented on many servers for support of legacy clients, like Internet Explorer 6.
DK: OK so how did this bug get its name?
KS: The actual attack is a padding oracle attack on CBC (cipher block chaining) encryption that can leak data to the attacker - hence why this SSL vulnerability is memorably named POODLE (Padding Oracle on Downgraded Legacy Encryption). Padding oracle attacks are a specific attack on encrypted data that uses "padding" to leak information from the encrypted channel. It's similar to older attack techniques like Lucky Thirteen and BEAST, which were disclosed in the past couple of years.
I should note that individual SSL certificates are not affected by the POODLE vulnerability, and customers do not need to replace any.
DK: How does an attack work?
KS: The attack requires a man-in-the-middle to force the client and server connection to fall back to SSL v3.0. Both the client and the server must support SSLv3.0, but this is a common default for most servers and web browsers. After the connection has been downgraded to SSLv3.0, the attack works on the aforementioned known weakness in CBC encryption that can leak data to the attacker.
In an attempted attack scenario, the intruder would insert himself into the session using JavaScript code injected into the client's web browser, either by exploiting a browser flaw, forcing the user to a malicious web page or using a cross-site scripting vulnerability. Again, this is the exact same technique used by BEAST, and it isn't always successful. There are a number of variables involved.
DK: What is the impact on the user?
KS: The attack would be typically used to leak session cookie information in order to hijack a victim's encrypted session to an "HTTPS" protected site
DK: How can users or organizations protect themselves?
KS: There is no patch for this vulnerability and the only way to prevent the vulnerability is to disable SSL v3.0 completely.
As of now, we haven't seen proofs-of-concept (PoC) taking advantage of this defect, although there's no doubt people are racing to get theirs done and posted. No active attacks have been seen either, but this type of client, man-in-the-middle attack is hard to detect. At any rate, until a stable PoC is released, I doubt there will be any major exploitation. Even afterward, exploitation will likely be confined to public networks like cybercafés and libraries.
DK: Who needs to disable SSL v3.0? And any other advice to avoid falling victim to an attack?
KS: I would say all web servers or other services using SSL should disable SSL v3.0 unless there is a very specific reason to keep it. All modern web browsers are capable of negotiating the more up-to-date TLS encryption protocol. The only common web browser that only accepts SSL v3.0 is Internet Explorer 6, which is close to 15 years old. It doesn't make sense for web admins to risk the security of all of their users for the sake of a very small percentage of legacy web browsers.
As an end-user, most web browsers allow you to disable SSL v3.0 locally from your configuration settings. Disabling SSL v3.0 locally will definitely keep POODLE at bay.
DK: This appears to be the latest in a sad procession of major internet bugs in recent months that seek to rattle the underlying foundation of the web. Is this similar to, say, Heartbleed?
KS: Unlike Heartbleed, this attack cannot be performed directly against SSL servers. An attacker would need to be in between a victim and server during an active session in order to pull off this attack - and it attacks the client's data, not the web server itself.
Update 12/10/14: A new variant on POODLE has emerged. It does not require the attacker to downgrade the protocol and works on specific implementations of the most current specification, TLS 1.2. Currently this new POODLE variant only seems to affect the custom encryption libraries implemented by load balancers sold by two manufacturers. These load balancers are often used in a web environments making them vulnerable.
