Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Connect Directly

New Zombie 'POODLE' Attack Bred from TLS Flaw

Citrix issues update for encryption weakness dogging the popular security protocol.

Turns out a major design flaw discovered and patched five years ago in the old SSL 3.0 encryption protocol, which exposed secure sessions to the so-called POODLE attack, didn't really die: A researcher has unearthed two new related vulnerabilities in the newer TLS 1.2 crypto protocol.

Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposure Research Team, found vulnerabilities in SSL 3.0's successor, TLS 1.2, that allow for attacks akin to POODLE due to TLS 1.2's continued support for a long-outdated cryptographic method: cipher block-chaining (CBC). The flaws allow man-in-the-middle (MitM) attacks on a user's encrypted Web and VPN sessions.

"Specifically, there are products out there that did not properly remediate the first POODLE issue," says Young, who will detail his findings next month at Black Hat Asia in Singapore. He found the latest flaws while further researching, and then testing, just how an attacker could exploit the original POODLE MitM attack.

Among the affected vendors is Citrix, which is also the first to issue a patch for the flaw (CVE-2019-6485). The bug could allow an attacker to abuse Citrix's Delivery Controller (ADC) network appliance to decrypt TLS traffic.

"At Citrix, the security of our products is paramount and we take all potential vulnerabilities very seriously. In the case of the so-called POODLE attack, we have applied the appropriate patches to mitigate the issue and advised our customers on actions needed to secure their platforms," the company said in a statement given to Dark Reading. "We will continue to vigorously monitor our systems to ensure the integrity of our solutions and provide the highest levels of security for our customers around the world."

Young declined to name other vendors currently working on patches, but he says the products include Web application firewalls, load-balancers, and remote access SSL VPNs.

Young has christened the two new flaws Zombie POODLE and GOLDENDOODLE (CVE). With Zombie Poodle, he was able to revive the POODLE attack in a Citrix load balancer with a tiny tweak to the POODLE attack on some systems that hadn't fully eradicated the outdated crypto methods. GOLDENDOODLE, meanwhile, is a similar attack but with more powerful and rapid crypto-hacking performance. Even if a vendor has fully eradicated the original POODLE flaw, it still could be vulnerable to GOLDENDOODLE attacks, Young warns.

Some 2,000 of the Alexa Top 1 Million websites are vulnerable to Zombie POODLE, with some 1,000 to GOLDENDOODLE as well hundreds still vulnerable to the nearly 5-year-old POODLE, according to findings from Young's online scans.

It's not just small sites that are vulnerable, he says: "It seems to be more prevalent in sites that are spending more money on running websites," such as government agencies and financial institutions that run hardware acceleration systems like Citrix's platforms, he notes.

"This [issue] should have been put to bed four or five years ago," Young says, but some vendors either didn't fully remove support for the older and less secure ciphers or didn't fully patch for the POODLE attack flaw itself. Citrix, for instance, had not fully patched for the original POODLE, he says, leaving it open for the next-generation POODLE attacks.

The core problem, of course, is that HTTPS's underlying protocol (first SSL, now TLS) hasn't been properly purged of old cryptographic methods that are outdated and less secure. Support for these older protocols, mainly to ensure that older legacy browsers and client machines aren't locked out of websites, also leaves websites vulnerable. Like its predecessor, TLS 1.2 is riddled with workarounds and countermeasures for protecting against abuse of the older crypto, such as CBC and RC4.

The new Zombie POODLE and GOLDENDOODLE attacks - like POODLE - allow an attacker to rearrange encrypted blocks of data and, via a side channel, get a peek at plaintext information. The attack works like this: An attacker injects a malicious JavaScript into the victim's browser via code planted on a nonencrypted website the user visits, for example. Once the browser is infected, the attacker can execute a MITM attack, ultimately grabbing the victim's cookies and credentials from the secured Web session.

The First POODLE
The original POODLE flaw (Padding Oracle On Downgraded Legacy Encryption), aka CVE-2014-3566, was initially discovered by researchers at Google. It wasn't easy to execute, and neither is POODLE Zombie or GOLDENDOODLE. That's because attackers must be able to set up a MitM attack on the victim's network or via Wi-Fi.

"Every attack has to be rather targeted, and there are a lot of moving parts," Young says. "From the attacker's perspective, you have to know who you are targeting and what kind of system they are running so you can predict where the sensitive material is you are trying to steal. The goal of this attack is to steal an authentication cookie."

An attacker could gain access to the victim's SSL VPN and ultimately pose as that victim on the organization's VPN and move around the network, for example. That would require the attacker on via a public Wi-Fi network to employ ARP spoofing or trick the user's client machine or phone to a phony Wi-Fi hotspot where the attacker then could discern the victim's authentication cookie for his or her VPN session.

Young says it's not likely the POODLE family of attacks are being exploited by cybercriminals, but even so, these attacks would be difficult to detect. Servers don't typically log for this type of activity, for example, he notes.

GOLDENDOODLE kicks it up a notch and executes the POODLE attack at a faster and more efficient rate, he explains. Why the seemingly silly name? It actually retrieves the key intel it needs: "[It's] deterministic such that the attacker is able to test whether the byte being decrypted has a specific value," Young explains.

Go TLS 1.3
The long-term fix for POODLE-based attacks is adoption of the latest version of the TLS encryption protocol, TLS 1.3, which deleted the older crypto methods like CBC rather than including confusing and easily misconfigured workarounds. "It takes away all nonauthenticated ciphers" so attacks like POODLE and its successors can't be executed, Young says.

While TLS 1.3 is available in popular browsers and networking products, website operators have been slow to deploy it mainly out of fear that the move will inadvertently "break" something.

Meantime, organizations not quite ready to go full TLS 1.3 just yet can disable all CBC encryption suites in their TLS 1.2-based systems to protect themselves from the new attacks. Young says his recent scans are showing some organizations he contacted about their sites' vulnerabilities to the POODLE family are now all clear:  "I have ... noticed some websites that are able to remediate the flaw without disabling CBC or patching," but it's not clear what workarounds they employed, he says.

The challenge is that larger websites often must support older Web browsers, Android devices, and Windows systems connecting to them. "While I'd like these businesses to disable CBC ciphers, it would probably create business issues for them" if older client systems couldn't reach their sites, he says.

At Black Hat Asia, Young plans to release the scanning tool he created for his research for vendors and security experts to test Zombie POODLE and GOLDENDOODLE attacks. Tripwire's IP360 scanner also detects the flaws, he notes.

Meantime, researchers at NCC Group today published new research on an attack that would downgrade TLS1.3 to the older, more vulnerable versions.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/29/2019 | 7:25:40 AM
TLS's list of vulnerabilities grows longer still
We saw a very similar vulnerability to the POODLE attack in recent changes to TLS 1.2 / 1.3, which ALSO allowed for MITM attacks on certain VPNs - https://www.thesslstore.com/blog/tls-pinning-in-mobile-apps/. It's unclear from Kelly's article here which VPN services were affected here by the POODLE attack, but in the case of Schneier's TLS pinning expose, we saw that market leaders like TunnelBear and others were affect.

It feels to me as if TLS is 'trying to make up for lost time', ie they've long been second in the cetificate security race to SSL. Now they are releasing new versions of the protocol, only to find that they are not secure. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.
PUBLISHED: 2020-07-13
The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...