Turns out a major design flaw discovered and patched five years ago in the old SSL 3.0 encryption protocol, which exposed secure sessions to the so-called POODLE attack, didn't really die: A researcher has unearthed two new related vulnerabilities in the newer TLS 1.2 crypto protocol.
Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposure Research Team, found vulnerabilities in SSL 3.0's successor, TLS 1.2, that allow for attacks akin to POODLE due to TLS 1.2's continued support for a long-outdated cryptographic method: cipher block-chaining (CBC). The flaws allow man-in-the-middle (MitM) attacks on a user's encrypted Web and VPN sessions.
"Specifically, there are products out there that did not properly remediate the first POODLE issue," says Young, who will detail his findings next month at Black Hat Asia in Singapore. He found the latest flaws while further researching, and then testing, just how an attacker could exploit the original POODLE MitM attack.
Among the affected vendors is Citrix, which is also the first to issue a patch for the flaw (CVE-2019-6485). The bug could allow an attacker to abuse Citrix's Delivery Controller (ADC) network appliance to decrypt TLS traffic.
"At Citrix, the security of our products is paramount and we take all potential vulnerabilities very seriously. In the case of the so-called POODLE attack, we have applied the appropriate patches to mitigate the issue and advised our customers on actions needed to secure their platforms," the company said in a statement given to Dark Reading. "We will continue to vigorously monitor our systems to ensure the integrity of our solutions and provide the highest levels of security for our customers around the world."
Young declined to name other vendors currently working on patches, but he says the products include Web application firewalls, load-balancers, and remote access SSL VPNs.
Young has christened the two new flaws Zombie POODLE and GOLDENDOODLE (CVE). With Zombie Poodle, he was able to revive the POODLE attack in a Citrix load balancer with a tiny tweak to the POODLE attack on some systems that hadn't fully eradicated the outdated crypto methods. GOLDENDOODLE, meanwhile, is a similar attack but with more powerful and rapid crypto-hacking performance. Even if a vendor has fully eradicated the original POODLE flaw, it still could be vulnerable to GOLDENDOODLE attacks, Young warns.
Some 2,000 of the Alexa Top 1 Million websites are vulnerable to Zombie POODLE, with some 1,000 to GOLDENDOODLE as well hundreds still vulnerable to the nearly 5-year-old POODLE, according to findings from Young's online scans.
It's not just small sites that are vulnerable, he says: "It seems to be more prevalent in sites that are spending more money on running websites," such as government agencies and financial institutions that run hardware acceleration systems like Citrix's platforms, he notes.
"This [issue] should have been put to bed four or five years ago," Young says, but some vendors either didn't fully remove support for the older and less secure ciphers or didn't fully patch for the POODLE attack flaw itself. Citrix, for instance, had not fully patched for the original POODLE, he says, leaving it open for the next-generation POODLE attacks.
The core problem, of course, is that HTTPS's underlying protocol (first SSL, now TLS) hasn't been properly purged of old cryptographic methods that are outdated and less secure. Support for these older protocols, mainly to ensure that older legacy browsers and client machines aren't locked out of websites, also leaves websites vulnerable. Like its predecessor, TLS 1.2 is riddled with workarounds and countermeasures for protecting against abuse of the older crypto, such as CBC and RC4.
The First POODLE
The original POODLE flaw (Padding Oracle On Downgraded Legacy Encryption), aka CVE-2014-3566, was initially discovered by researchers at Google. It wasn't easy to execute, and neither is POODLE Zombie or GOLDENDOODLE. That's because attackers must be able to set up a MitM attack on the victim's network or via Wi-Fi.
"Every attack has to be rather targeted, and there are a lot of moving parts," Young says. "From the attacker's perspective, you have to know who you are targeting and what kind of system they are running so you can predict where the sensitive material is you are trying to steal. The goal of this attack is to steal an authentication cookie."
An attacker could gain access to the victim's SSL VPN and ultimately pose as that victim on the organization's VPN and move around the network, for example. That would require the attacker on via a public Wi-Fi network to employ ARP spoofing or trick the user's client machine or phone to a phony Wi-Fi hotspot where the attacker then could discern the victim's authentication cookie for his or her VPN session.
Young says it's not likely the POODLE family of attacks are being exploited by cybercriminals, but even so, these attacks would be difficult to detect. Servers don't typically log for this type of activity, for example, he notes.
GOLDENDOODLE kicks it up a notch and executes the POODLE attack at a faster and more efficient rate, he explains. Why the seemingly silly name? It actually retrieves the key intel it needs: "[It's] deterministic such that the attacker is able to test whether the byte being decrypted has a specific value," Young explains.
Go TLS 1.3
The long-term fix for POODLE-based attacks is adoption of the latest version of the TLS encryption protocol, TLS 1.3, which deleted the older crypto methods like CBC rather than including confusing and easily misconfigured workarounds. "It takes away all nonauthenticated ciphers" so attacks like POODLE and its successors can't be executed, Young says.
While TLS 1.3 is available in popular browsers and networking products, website operators have been slow to deploy it mainly out of fear that the move will inadvertently "break" something.
Meantime, organizations not quite ready to go full TLS 1.3 just yet can disable all CBC encryption suites in their TLS 1.2-based systems to protect themselves from the new attacks. Young says his recent scans are showing some organizations he contacted about their sites' vulnerabilities to the POODLE family are now all clear: "I have ... noticed some websites that are able to remediate the flaw without disabling CBC or patching," but it's not clear what workarounds they employed, he says.
The challenge is that larger websites often must support older Web browsers, Android devices, and Windows systems connecting to them. "While I'd like these businesses to disable CBC ciphers, it would probably create business issues for them" if older client systems couldn't reach their sites, he says.
At Black Hat Asia, Young plans to release the scanning tool he created for his research for vendors and security experts to test Zombie POODLE and GOLDENDOODLE attacks. Tripwire's IP360 scanner also detects the flaws, he notes.
Meantime, researchers at NCC Group today published new research on an attack that would downgrade TLS1.3 to the older, more vulnerable versions.
- TLS 1.3 Won't Break Everything
- Access Control Lists: 6 Key Principles to Keep in Mind
- Preparing for Transport Layer Security 1.3
- Crypto In The Crosshairs Again
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.