Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Bark and Bite? The Essential Facts on the POODLE Vulnerability

Another high-profile vulnerability has been unearthed. Following the unwelcome emergence of Heartbleed and Shellshock, this new flaw - known as POODLE - can lead to theft of data during supposedly private communications. The weakness resides in the legacy encryption protocol SSL version 3.0, a nearly two-decade-old security protocol that was designed to permit client and server applications to communicate over the web without the possibility of data theft, eavesdropping, tampering or modification.

Before we dive into the threat details, you should know the actions Trustwave has taken to help protect you. Trustwave Vulnerability Management has been updated to help detect web servers and services that use SSL 3.0. We have also investigated our own systems to reconfigure any affected systems. Our websites and portals, including TrustKeeper, have either already been reconfigured or verified as not vulnerable. Some products may require manual configuration changes to disable SSL 3.0. Check the Trustwave Support Knowledgebase for more information or contact Trustwave support.

Let's now bring in one of Trustwave's resident threat experts, Karl Sigler, to help us better understand how this vulnerability operates and what the potential fallout is.

Dan Kaplan, Trustwave online content manager: Hi Karl. So why is POODLE even an issue? Haven't most organizations updated beyond SSL 3.0?

Karl Sigler, Trustwave threat intelligence manager: You would think so considering the age of SSL 3.0 and previous vulnerabilities discovered in the protocol. SSLv3.0 has been superseded by TLS versions 1.0-1.2, with each version adding new security features and bug fixes. Unfortunately, SSLv3.0 is still implemented on many servers for support of legacy clients, like Internet Explorer 6.

DK: OK so how did this bug get its name?

KS: The actual attack is a padding oracle attack on CBC (cipher block chaining) encryption that can leak data to the attacker - hence why this SSL vulnerability is memorably named POODLE (Padding Oracle on Downgraded Legacy Encryption). Padding oracle attacks are a specific attack on encrypted data that uses "padding" to leak information from the encrypted channel. It's similar to older attack techniques like Lucky Thirteen and BEAST, which were disclosed in the past couple of years.

I should note that individual SSL certificates are not affected by the POODLE vulnerability, and customers do not need to replace any.

DK: How does an attack work?

KS: The attack requires a man-in-the-middle to force the client and server connection to fall back to SSL v3.0. Both the client and the server must support SSLv3.0, but this is a common default for most servers and web browsers. After the connection has been downgraded to SSLv3.0, the attack works on the aforementioned known weakness in CBC encryption that can leak data to the attacker.

In an attempted attack scenario, the intruder would insert himself into the session using JavaScript code injected into the client's web browser, either by exploiting a browser flaw, forcing the user to a malicious web page or using a cross-site scripting vulnerability. Again, this is the exact same technique used by BEAST, and it isn't always successful. There are a number of variables involved.

DK: What is the impact on the user?

KS: The attack would be typically used to leak session cookie information in order to hijack a victim's encrypted session to an "HTTPS" protected site

DK: How can users or organizations protect themselves?

KS: There is no patch for this vulnerability and the only way to prevent the vulnerability is to disable SSL v3.0 completely.

As of now, we haven't seen proofs-of-concept (PoC) taking advantage of this defect, although there's no doubt people are racing to get theirs done and posted. No active attacks have been seen either, but this type of client, man-in-the-middle attack is hard to detect. At any rate, until a stable PoC is released, I doubt there will be any major exploitation. Even afterward, exploitation will likely be confined to public networks like cybercafés and libraries.

DK: Who needs to disable SSL v3.0? And any other advice to avoid falling victim to an attack?

KS: I would say all web servers or other services using SSL should disable SSL v3.0 unless there is a very specific reason to keep it. All modern web browsers are capable of negotiating the more up-to-date TLS encryption protocol. The only common web browser that only accepts SSL v3.0 is Internet Explorer 6, which is close to 15 years old. It doesn't make sense for web admins to risk the security of all of their users for the sake of a very small percentage of legacy web browsers.

As an end-user, most web browsers allow you to disable SSL v3.0 locally from your configuration settings. Disabling SSL v3.0 locally will definitely keep POODLE at bay.

DK: This appears to be the latest in a sad procession of major internet bugs in recent months that seek to rattle the underlying foundation of the web. Is this similar to, say, Heartbleed?

KS: Unlike Heartbleed, this attack cannot be performed directly against SSL servers. An attacker would need to be in between a victim and server during an active session in order to pull off this attack - and it attacks the client's data, not the web server itself.

Update 12/10/14: A new variant on POODLE has emerged. It does not require the attacker to downgrade the protocol and works on specific implementations of the most current specification, TLS 1.2. Currently this new POODLE variant only seems to affect the custom encryption libraries implemented by load balancers sold by two manufacturers. These load balancers are often used in a web environments making them vulnerable.

Latest Trustwave Blogs

De-Risk Technology Transitions and Save Money with Trustwave

With all the issues happening in cybersecurity technology lately, such as CrowdStrike’s software update that caused massive outages worldwide last week, it behooves all organizations to take a...

Read More

How Cybercriminals Use Breaking News for Phishing Attacks

Trustwave SpiderLabs issued a warning that threat actors may attempt to take advantage of CrowdStrike’s software update that caused widespread outages by using the news as the center of a social...

Read More

Trustwave Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More