EGI CSIRT:Alerts/POODLE-2014-10-16
Revision as of 09:27, 17 October 2014 by imported>Lnixon (Created page with "<pre> Title: EGI CSIRT 'MEDIUM' Risk - 'POODLE' vulnerability in SSL version 3 Date: 2014-10-16 Updated Introduction ============ A protocol vulnerability in SSL ...")
Title: EGI CSIRT 'MEDIUM' Risk - 'POODLE' vulnerability in SSL version 3 Date: 2014-10-16 Updated Introduction ============ A protocol vulnerability in SSL version 3 has recently been disclosed by Google researchers. The vulnerability, codenamed POODLE ("Padding Oracle On Downgraded Legacy Encryption"), makes it possible to perform a man-in-the-middle-attack against connections protected by SSLv3. POODLE is a weakness in the protocol itself, not in any particular application, so all implementations of SSLv3 are vulnerable. For successful exploitation of POODLE, an attacker needs to be able to trigger a large amount of SSLv3 connections with partly attacker-controlled content, and also needs to be able to intercept and modify the encrypted SSLv3 traffic. EGI CSIRT has assessed POODLE as MEDIUM risk in the context of ordinary HTTPS web servers and as LOW risk in the context of grid services. EGI CSIRT recommends SSLv3 support to be disabled wherever feasible - please refer to the compatibility notes below. Details ======= SSLv3 provides support for only the RC4 stream cipher or a block cipher in CBC mode. RC4 is already known to leak information if an attacker can observe many connections with constant data. As it turns out, the CBC cipher is also vulnerable, leaving SSLv3 without any secure ciphers. For full details on the problems with the CBC cipher, please see the advisory from the original reporters: https://www.openssl.org/~bodo/ssl-poodle.pdf Compatibility notes =================== Disabling SSLv3 support on web servers may lead to compatibility problems with elderly clients like IE6 on Windows XP, which do not support more secure protocol versions. There are unconfirmed reports that the Evolution mail client is unable to connect to IMAPS servers which have SSLv3 support disabled. Credits ======= POODLE was discovered by Bodo Möller, Thai Duong and Krzysztof Kotowicz.