How to Neuter POODLE (New SSL Vulnerability)

Surprise, surprise… Researcher’s have found yet another OpenSSL vulnerability. They’ve named this one POODLE. Silly name, I know, but at least it stands for something—Padding Oracle On Downgraded Legacy Encryption.

Attack POODLE

In short, POODLE is a protocol level cryptography flaw in Secure Sockets Layer version 3 (SSLv3), which is one of the many encryption protocols available to SSL/TLS implementations like OpenSSL, used to encrypt network traffic. While SSL can encrypt any traffic, it’s most commonly associated with secure web communications (HTTPS). SSLv3 is one of the older encryption protocols in OpenSSL’s library, having been around for 18 years or so. Newer protocols like TLS 1.0-1.2 are much more secure, but we’ve kept SSLv3 around for legacy interoperability reasons. Since this new vulnerability allows attackers to decrypt SSLv3 traffic, it’s time we get rid of SSLv3 for good.

The POODLE flaw is fairly complex, and hard to understand without a deeper comprehension of cryptography. If you’d really like to dive into the details, I recommend you read the paper [PDF] by the Google researchers who found the flaw, or check out this detailed explanation. However, here are the basics:

First, this vulnerability requires a Man-in-the-Middle (MitM) attack to succeed. An attacker can only perform it if he can intercept traffic between you and the SSL server. Performing MitM attacks can range from extremely difficult to trivial, depending on the circumstances. For instance, if you join an unsecured WiFi network, attackers on the same network can quite easily intercept your traffic, whereas intercepting Internet traffic is exceptionally more difficult, and typically requires ISP level interception (or at least DNS poisoning) to pull off.
Next, this attack only works against SSLv3 encrypted traffic, so the attacker needs to somehow force you to use it. This is a much easier hurdle for attackers to overcome. The SSL/TLS protocol includes a “downgrade” feature that allows SSL clients and servers to negotiate which encryption protocol they agree on, depending on what they both support. With a MitM attack, the attacker can intercept and manipulated the negotiations to ensure your browser and the server settle on SSLv3 encryption.
At this point, an attacker can take advantage of the SSLv3 flaw (which is essentially a vulnerability in how SSLv3’s CBC cipher suites use padding) to decrypt certain bytes of your secured traffic. Again, see the paper if you are interested in the technical and mathematical detail. However, there are some caveats here. Basically, the educated guesses used in this attack will only work 1 in 256 times. So this attack requires the same data be sent over newly created SSLv3 connection hundreds of times. Forcing hundreds of requests is easy when targeting web browsers, since the MitM attack allows the attacker to inject malicious javascript into your web session. This javascript allows the attacker to silently force your browser to do what he needs. However, there are many other clients that use SSL/TLS to encrypt communications, including VPN clients, and apps on your mobile device. Since this attack relies on malicious javascript, attackers can’t easily exploit it against non-browser SSL clients. In any case, once this attack succeeds in decrypting one byte, it’s trivial for the attacker to decrypt the rest of your secure message.
So what can attackers do by decrypting SSL encrypted web sessions? Most likely, they’d leverage this flaw to try to intercept your encrypted HTTP session cookie. This essentially allows them to hijack your secure web sessions, and do anything you could do on the particular secure site you’re visiting. They wouldn’t obtain your passwords, but they’d have access to your secure web account.

While this sounds pretty bad, and it can be when the attack succeeds, the mitigating factors mentioned above really lessen the severity of this flaw. MitM attacks are not trivial to pull off in most cases, and this exploit’s javascript requirement means it can only easily target web browsers, not other SSL-based clients. Furthermore, if either end (client or server) disables SSLv3, the attack is dead in the water. In fact, NIST only assigns this vulnerability (CVE-2014-3566) a CVSS severity rating of 4.3, which is on the lower medium range of their severity scale. Though many of the media outlet reporting on this flaw have made it sound extremely dangerous, I would only give it a medium severity. It’s definitely something you want to mitigate, but it is not nearly as dangerous as the Heartbleed and Shellshock flaws the media has compared it to.

How to Protect Yourself from POODLE:

Simply put, disable SSLv3!

SSLv3 is an antiquated and broken encryption protocol. Every modern browser and SSL client supports much more recent encryption options. Disabling SSLv3 is the only way to completely protect yourself.

That said, some organizations may still use some legacy web applications, especially ones that require Internet Explorer (IE) 6 running on XP, which depend on SSLv3. Frankly, it’s time you get rid of those applications. In order to quantify today’s minimal SSLv3 usage, CloudFlare monitored all their customers’ traffic and found only 0.09% of it was SSLv3. When monitoring only secure web (HTTPS) traffic, SSLv3 usage jumped to 0.65%, but that’s still a tiny fraction of web traffic. We recommend you help bring this number to zero by getting rid of SSLv3 in your organization

So how do you disable SSLv3? There are two sides to the equation—the server and the client. You only have to disable one side for the attack to fail.

Since this attack targets clients, and seems to primarily affect web browsers, I recommend you disable SSLv3 in your browsers first. All popular web browsers have configuration settings that allow you to do so. The folks at Zmap.io have kindly provided an instruction page detailing how to disable SSLv3 in the popular browsers; check it out. Furthermore, most browser vendors have promised to disable SSLv3 by default in their next software release. Once you have disabled SSLv3 in your browser, attackers cannot leverage this flaw to decrypt your traffic, even if you connect to a web server that still has SSLv3 enabled.

That said, you also should disable SSLv3 on any servers you run, just to help protect the rest of the world against this flaw. The creators of OpenSSL have released an update that fixes this vulnerability (and three others). Besides allowing you to disable SSLv3 on your server, the latest version of OpenSSL supports a feature called TLS_FALLBACK_SCSC, which essentially prevents MitM attackers from forcing clients to downgrade to a certain encryption protocol. Many other Linux distributions and SSL implementations have also released updates. Go get them.

As an aside, once you’ve disabled SSLv3 in your browsers and servers, you can check the results using the following sites:

POODLE client check: https://www.poodletest.com
POODLE server check: https://ssltest.com or http://poodlebleed.com/

Are WatchGuard Products Affected by POODLE?

In short, yes.

WatchGuard appliances use OpenSSL and are affected by this vulnerability to varying degrees. The impacted products include:

XTM appliances – WatchGuard’s web-based user interfaces (UI), whether the administrative interface or the VPN client portal, do support SSLv3, and are vulnerable to this. However, you can mitigate this flaw by limiting exposure to the Web UI. There is no reason to allow Internet users to access that administrative interface. Also, our SSL VPN clients do NOT support SSLv3. So mobile VPN connections are not affected. We are making updates to our XTM firmware to disable SSLv3 by default.
XCS appliances – The XCS’s Web UI does support SSLv3 by default. However, you can disable it for the Web UI, and should do so. Our mail engine does also support SSLv3, and you can’t currently disabled it in the mail engine. That said, this exploit primarily targets web browsers, so the exposure in the mail engine should be low. In any case, we are making changes to the XCS firmware to disable SSLv3.
SSL VPN appliances – The SSL VPN appliances administrative Web UI uses SSLv3, and your currently can’t disable it. However, you can limit exposure simply by not allowing external access to the Web UI. As far as client VPN connections, you can disable SSLv3 in the Manage System => Device Setting page. Doing so ensures attackers can’t exploit this flaw to intercept and decrypt mobile SSL VPN traffic. We will release and update to disable SSLv3 in the Web UI.

This vulnerability’s impact to our appliances is relatively low. Nonetheless, WatchGuard will release updated versions for all affected software and devices that are under support. We are currently planning all these releases, and we will update this post as the dates and releases become available. In any case, if you limit access to the web-based administration interfaces on your WatchGuard appliances, the vulnerability poses you little risk. Furthermore, if you disable SSLv3 in your browser, attackers can’t even leverage it against you, whether or not the appliance uses SSLv3.

To summarize, POODLE is a big enough issue that you should definitely disable SSLv3 in all your browsers and servers as soon as you can. However, despite the wide and alarming coverage of this issue, it does not pose a huge, real-world risk to most users. If you update your browsers, and avoid unsecured WiFi connections, POODLE will likely not bite, and is easy to neuter. — Corey Nachreiner, CISSP (@SecAdept)