Attacks/Breaches

10/15/2014
02:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

'POODLE' Attacks, Kills Off SSL 3.0

A newly discovered design flaw in an older version of SSL encryption protocol could be used for man-in-the-middle attacks -- leading some browser vendors to remove SSL 3.0 for good.

Disable SSL 3.0 in browsers and servers: That's the recommendation of security experts in the wake of the discovery of a serious flaw in the nearly 15-year-old version of the encryption protocol. The flaw could allow an attacker to wage a man-in-the-middle attack against a user.

Google researchers announced late yesterday that they had discovered a vulnerability (CVE-2014-3566) in the older SSL (version 3) that could allow man-in-the-middle attacks on a user's encrypted web and other communications sessions. However, the so-called POODLE (Padding Oracle On Downgraded Legacy Encryption) attack would be tough to pull off, and the most likely scenario would be a determined attacker targeting a user or group of users, security experts say.

SSL 3.0 was replaced long ago by the newer Transport Layer Services (TLS) versions 1.0 and 1.2 in most SSL implementations, but the older version has been kept around mainly to support older client machines and legacy applications. Google now plans to remove SSL 3.0 altogether from its client software, including the Chrome browser, in the coming months. Mozilla says it will do so with Firefox on Nov. 25. According to some estimates, around 98% of websites still support SSL 3.0 for backward compatibility to older client machines and browsers.

But this is no Heartbleed vulnerability moment.

"It's not as bad as Heartbleed, but it's certainly real," says Dan Kaminsky, chief scientist at WhiteOps. The threat isn't fixable without disabling SSL 3.0, "but TLS has been out a long time, and the number of clients that can't speak it is small."

Ivan Ristic, director of engineering at Qualys and an SSL expert, concurs that POODLE is no Heartbleed. "It's a big problem, but it's not the end of the world," he says. "This is not an easy attack to carry out. It's an elaborate attack… There is a lot for the attacker to do to make it successful. The question is what's the motivation" to execute it.

According to security experts, the good news about POODLE is that it has sounded the death knell for the older version of the SSL protocol for encrypted communications. "It's very difficult to kill off old protocols," Ristic says. "It's very good to see" browser vendors and websites getting rid of SSL 3.0 because of it.

Google Security Team member Bodo Moller revealed the flaw in a blog post late yesterday after a flurry of industry speculation over whether yet another big Internet bug was in the wings. Most browsers are affected by the flaw, because they still support SSL 3.0, and Google says it supports a mechanism called TLS-FALLBACK-SCSV that would prevent an attacker from exploiting the SSL 3.0 flaw, he wrote. Some websites will break as Google disables SSL 3.0, so those sites "will need to be updated quickly" to drop SSL 3.0 support.

The attack can occur thanks to the support of SSL 3.0, and it is possible only when both a client and server include support for SSL 3.0. POODLE basically forces the use of SSL 3.0, which it then exploits. The attack would work like this: An attacker injects malicious JavaScript into the victim's browser, via code planted on a non-encrypted website the user visits, for example. Once the browser is infected, the attacker can execute a man-in-the middle attack, ultimately grabbing the victim's cookies and credentials from the secured web session.

"This is an attack on the client," Ristic says. It's similar to the BEAST man-in-the-middle attack from 2011. POODLE "has been known for a long time in one way or another. It was ignored because no one could see how it could be exploited" until now.

Karl Sigler, threat intelligence manager for Trustwave, notes that POODLE can work only if the victim is actively online and the attacker is physically near him or her, such as in a coffee shop or somewhere with public WiFi.

SSL-based VPN client software is not likely affected by POODLE, however. Ristic says he doesn't think the attack could be exploited on a VPN client. "And I wouldn't expect a modern VPN client to use SSL 3.0, anyway."

So why have SSL 3.0 at all? It has been kept alive mainly to support older client systems, such as Windows XP and Internet Explorer 6. The catch with disabling SSL 3.0, of course, is that IE6 users would be cut off -- something that is more of an issue overseas than in the US.

Meanwhile, SANS Internet Storm Center has set up an online POODLE test to see if your browser is vulnerable: A poodle pops up with a bubble screaming "Vulnerable!" if you are, and a Springfield terrier character pops up if you're not.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
10/20/2014 | 11:22:56 AM
Re: protocols too old
What really gets me is that TLS was designed to replace SSL, and was introduced last century (I know that sounds really dramatic), and we still have systems that have not deprecated that protocol. I realize that systems security updates/upgrades may consume a great deal of internal resources, but in today's threat landscape, can we really afford not to do that? Have we not arrived at a point where systems operators must be nimble enough so that they can respond to security issues such as an insecure protocol in a timely fashion, before havoc breaks out? Timely is the keyword. SSL 3.0 was released in 1996; TLS 1.0 was defined in January 1999, TLS 1.1 In April 2006, and TLS 1.2 in August 2008. Here we are in 2014, still talking about deprecating SSL 3.0! The bad guys are laughing, and the good guys are scrambling. It should be the other way around.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/16/2014 | 4:38:32 PM
Re: Credit to Google...
...ah, but as for us journos, we're all cursing Google for those awful POODLE pun PR pitches that name has spawned.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/16/2014 | 4:33:59 PM
Credit to Google...
...for naming this POODLE. It's memorable enough to get people to pay attention.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
10/16/2014 | 8:54:03 AM
Re: protocols too old
I almost LOL'ed when I learned that the reason SSLv3 is still supported in many cases is for XP and IE6 users. <sigh>
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
10/16/2014 | 5:43:39 AM
protocols too old
Compare the extension of POODLE to HearthBleed or BashBug is absurd, anyway this flaw raise once again the necessity to approach security by design. 

Many protocols are very dated but still supported, like SSLv3, consider that the concept of security is evolved in the last 20 years in a dramatic way. Supporting a dated protocol for which security requirements were totally different from actual needs enlarge our surface of attacks.

It is necessary to seriously consider a deep assessment of most popular protocol and standard to avoid other clamourous case.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/15/2014 | 4:42:11 PM
Re: Is it safe? Probably not
So the Metasploit module isn't out officially yet? I haven't seen anything on it if so.
theb0x
50%
50%
theb0x,
User Rank: Ninja
10/15/2014 | 4:41:02 PM
Re: Is it safe? Probably not
Unfortunately I can not publicly disclose that information at this time.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
10/15/2014 | 4:08:07 PM
Re: Is it safe? Probably not
If a Metasploit module is now out, then it's a bit more streamlined to pull off, for sure. But the attack still requires some proximity and targeting. Got a link to the Metasploit module by chance, @theb0x? Our commenting platform won't allow you to input a live link, but if you could provide the URL, that would be great. 

Thanks!
theb0x
100%
0%
theb0x,
User Rank: Ninja
10/15/2014 | 3:10:36 PM
Is it safe? Probably not.
"This is not an easy attack to carry out. It's an elaborate attack... There is a lot for the attacker to do to make it successful. The question is what's the motivation" to execute it."


This statement is completely misleading. Truth is it is an easy attack. The CVE-2014-3566 (Poodle SSL Vulnerability) PoC has already been released for Metasploit 4.10.0 (Update 2014101501).

 


 

 

 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Mirai Hackers' Sentence Includes No Jail Time
Dark Reading Staff 9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11982
PUBLISHED: 2018-09-20
In Snapdragon (Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016, a double free of...
CVE-2018-5837
PUBLISHED: 2018-09-20
In Snapdragon (Automobile, Mobile, Wear) in version IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_Hig...
CVE-2018-5871
PUBLISHED: 2018-09-20
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SD...
CVE-2018-11269
PUBLISHED: 2018-09-20
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, S...
CVE-2018-11277
PUBLISHED: 2018-09-20
In Snapdragon (Automobile, Mobile, Wear) in version MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, the com.qualcomm.embms is a vendor package deployed in the system image which has an inadequate...