POODLE: A new vulnerability in SSLv3

Oct 07, 2014

In October 2014, an OpenSSL vulnerability relating to Secure Socket Layer (SSL) was discovered by Bodo Moeller, Thai Duong and Krzysztof Kotowicz of Google Security. SSL is the standard security technology for establishing encrypted communications between a web browser and a web site, and ensures that the transmitted data remains private. It is used in a variety of websites, including online shopping and many other sites which processes your personal details. This issue only affects SSLv3, which has so far been widely considered secure.

As you may have heard in recent news, SSLv2 is vulnerable to Heartbleed, but now security issues have also been uncovered with SSLv3. This new vulnerability is known as POODLE, which stands for “Padding Oracle On Downgraded Legacy Encryption”. In theory, this issue is similar to an SSL related vulnerability called BEAST discovered in 2011. The ‘Browser Exploits Against SSL/TLS’ (BEAST) vulnerability resulted in attackers being able to acquire data that had been stored in plain text by exploiting a weakness in the algorithm used to encrypt it. This could be putting website user data at risk, as it may mean that their personal data (including passwords and credit card numbers) could be stolen by attackers.

So what is POODLE?
POODLE is a security vulnerability that exists in the SSLv3 which can be abused by an attacker to decrypt the data in transit which SSL has encrypted. The root of the problem is in the way the protocol handles Cipher Block Chaining (CBC) mode padding. CBC mode padding is a method of encrypting data that is used in a variety of browsers and web servers to keep information secure.

A high level explanation of this is that the attacker will be able to exploit this weakness in order to make multiple server requests in order to deduce the final byte of the data block, working their way backwards until they have the full correct data block which will allow them to carry out their attack.

The majority of the web applications that we use online today implement the TLS protocol for secure communication of sensitive information, but a small subset of websites still use SSLv3 to do this. With POODLE in place, an attacker can spy on data in transit and steal sensitive information including usernames, passwords, credit card details, SSN numbers and other sensitive details.

The likelihood and subsequent impact of this vulnerability is considered to be of a medium level risk, since the exploitation POODLE is extremely difficult. The reasons for this are:

• an attacker needs to have a privileged location in the network to place himself between the user and the server in order to tap the encrypted data
• POODLE needs your network accessible resources to allow protocol downgrade and force implementation of SSLv3 over TLS.

Am I Vulnerable?
The identified flaw exists in SSLv3. Considering the fact that exploitation of this issue is quite difficult and a limited number of applications use the vulnerable version, the chance of being compromised is relatively low. However if the issue is exploited successfully, it can aid an attacker to impersonate the legitimate user and/or steal sensitive information of the user in transit.

How can we ensure that we are protected against the POODLE vulnerability?
The recommended fix provided by the vendor is to completely disable SSLv3 for communication, so you should ensure that you disable the use of SSLv3 in your web clients. Web site owners should evaluate their traffic now and disable transmitting data to the client using SSLv3. It is also advised to implement TLS_FALLBACK_SCSV which prevents the protocol downgrade.

SSLv3 is now close to being considered an obsolete and insecure protocol. It has been replaced by TLS (Transport Layer Security) 1.0, 1.1 and 1.2 but still many TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems. The POODLE vulnerability affects every service and client that allows a protocol downgrade from TLS to SSLv3. The only way to defend against this is to make sure all the network-accessible services and clients does not support protocol downgrade. It is advised to disable SSLv3 completely at both client and the server ends.

To find out more about how to secure your data against security vulnerabilities, contact us.