Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/8/2019
02:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Zombie 'POODLE' Attack Bred from TLS Flaw

Citrix issues update for encryption weakness dogging the popular security protocol.

Turns out a major design flaw discovered and patched five years ago in the old SSL 3.0 encryption protocol, which exposed secure sessions to the so-called POODLE attack, didn't really die: A researcher has unearthed two new related vulnerabilities in the newer TLS 1.2 crypto protocol.

Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposure Research Team, found vulnerabilities in SSL 3.0's successor, TLS 1.2, that allow for attacks akin to POODLE due to TLS 1.2's continued support for a long-outdated cryptographic method: cipher block-chaining (CBC). The flaws allow man-in-the-middle (MitM) attacks on a user's encrypted Web and VPN sessions.

"Specifically, there are products out there that did not properly remediate the first POODLE issue," says Young, who will detail his findings next month at Black Hat Asia in Singapore. He found the latest flaws while further researching, and then testing, just how an attacker could exploit the original POODLE MitM attack.

Among the affected vendors is Citrix, which is also the first to issue a patch for the flaw (CVE-2019-6485). The bug could allow an attacker to abuse Citrix's Delivery Controller (ADC) network appliance to decrypt TLS traffic.

"At Citrix, the security of our products is paramount and we take all potential vulnerabilities very seriously. In the case of the so-called POODLE attack, we have applied the appropriate patches to mitigate the issue and advised our customers on actions needed to secure their platforms," the company said in a statement given to Dark Reading. "We will continue to vigorously monitor our systems to ensure the integrity of our solutions and provide the highest levels of security for our customers around the world."

Young declined to name other vendors currently working on patches, but he says the products include Web application firewalls, load-balancers, and remote access SSL VPNs.

Young has christened the two new flaws Zombie POODLE and GOLDENDOODLE (CVE). With Zombie Poodle, he was able to revive the POODLE attack in a Citrix load balancer with a tiny tweak to the POODLE attack on some systems that hadn't fully eradicated the outdated crypto methods. GOLDENDOODLE, meanwhile, is a similar attack but with more powerful and rapid crypto-hacking performance. Even if a vendor has fully eradicated the original POODLE flaw, it still could be vulnerable to GOLDENDOODLE attacks, Young warns.

Some 2,000 of the Alexa Top 1 Million websites are vulnerable to Zombie POODLE, with some 1,000 to GOLDENDOODLE as well hundreds still vulnerable to the nearly 5-year-old POODLE, according to findings from Young's online scans.

It's not just small sites that are vulnerable, he says: "It seems to be more prevalent in sites that are spending more money on running websites," such as government agencies and financial institutions that run hardware acceleration systems like Citrix's platforms, he notes.

"This [issue] should have been put to bed four or five years ago," Young says, but some vendors either didn't fully remove support for the older and less secure ciphers or didn't fully patch for the POODLE attack flaw itself. Citrix, for instance, had not fully patched for the original POODLE, he says, leaving it open for the next-generation POODLE attacks.

The core problem, of course, is that HTTPS's underlying protocol (first SSL, now TLS) hasn't been properly purged of old cryptographic methods that are outdated and less secure. Support for these older protocols, mainly to ensure that older legacy browsers and client machines aren't locked out of websites, also leaves websites vulnerable. Like its predecessor, TLS 1.2 is riddled with workarounds and countermeasures for protecting against abuse of the older crypto, such as CBC and RC4.

The new Zombie POODLE and GOLDENDOODLE attacks - like POODLE - allow an attacker to rearrange encrypted blocks of data and, via a side channel, get a peek at plaintext information. The attack works like this: An attacker injects a malicious JavaScript into the victim's browser via code planted on a nonencrypted website the user visits, for example. Once the browser is infected, the attacker can execute a MITM attack, ultimately grabbing the victim's cookies and credentials from the secured Web session.

The First POODLE
The original POODLE flaw (Padding Oracle On Downgraded Legacy Encryption), aka CVE-2014-3566, was initially discovered by researchers at Google. It wasn't easy to execute, and neither is POODLE Zombie or GOLDENDOODLE. That's because attackers must be able to set up a MitM attack on the victim's network or via Wi-Fi.

"Every attack has to be rather targeted, and there are a lot of moving parts," Young says. "From the attacker's perspective, you have to know who you are targeting and what kind of system they are running so you can predict where the sensitive material is you are trying to steal. The goal of this attack is to steal an authentication cookie."

An attacker could gain access to the victim's SSL VPN and ultimately pose as that victim on the organization's VPN and move around the network, for example. That would require the attacker on via a public Wi-Fi network to employ ARP spoofing or trick the user's client machine or phone to a phony Wi-Fi hotspot where the attacker then could discern the victim's authentication cookie for his or her VPN session.

Young says it's not likely the POODLE family of attacks are being exploited by cybercriminals, but even so, these attacks would be difficult to detect. Servers don't typically log for this type of activity, for example, he notes.

GOLDENDOODLE kicks it up a notch and executes the POODLE attack at a faster and more efficient rate, he explains. Why the seemingly silly name? It actually retrieves the key intel it needs: "[It's] deterministic such that the attacker is able to test whether the byte being decrypted has a specific value," Young explains.

Go TLS 1.3
The long-term fix for POODLE-based attacks is adoption of the latest version of the TLS encryption protocol, TLS 1.3, which deleted the older crypto methods like CBC rather than including confusing and easily misconfigured workarounds. "It takes away all nonauthenticated ciphers" so attacks like POODLE and its successors can't be executed, Young says.

While TLS 1.3 is available in popular browsers and networking products, website operators have been slow to deploy it mainly out of fear that the move will inadvertently "break" something.

Meantime, organizations not quite ready to go full TLS 1.3 just yet can disable all CBC encryption suites in their TLS 1.2-based systems to protect themselves from the new attacks. Young says his recent scans are showing some organizations he contacted about their sites' vulnerabilities to the POODLE family are now all clear:  "I have ... noticed some websites that are able to remediate the flaw without disabling CBC or patching," but it's not clear what workarounds they employed, he says.

The challenge is that larger websites often must support older Web browsers, Android devices, and Windows systems connecting to them. "While I'd like these businesses to disable CBC ciphers, it would probably create business issues for them" if older client systems couldn't reach their sites, he says.

At Black Hat Asia, Young plans to release the scanning tool he created for his research for vendors and security experts to test Zombie POODLE and GOLDENDOODLE attacks. Tripwire's IP360 scanner also detects the flaws, he notes.

Meantime, researchers at NCC Group today published new research on an attack that would downgrade TLS1.3 to the older, more vulnerable versions.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ludovic_rembert
50%
50%
ludovic_rembert,
User Rank: Apprentice
4/29/2019 | 7:25:40 AM
TLS's list of vulnerabilities grows longer still
We saw a very similar vulnerability to the POODLE attack in recent changes to TLS 1.2 / 1.3, which ALSO allowed for MITM attacks on certain VPNs - https://www.thesslstore.com/blog/tls-pinning-in-mobile-apps/. It's unclear from Kelly's article here which VPN services were affected here by the POODLE attack, but in the case of Schneier's TLS pinning expose, we saw that market leaders like TunnelBear and others were affect.

It feels to me as if TLS is 'trying to make up for lost time', ie they've long been second in the cetificate security race to SSL. Now they are releasing new versions of the protocol, only to find that they are not secure. 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.