POODLE vulnerability assessment

October 15, 2014, Mike Weber, Vice President, Coalfire Labs

Vulnerability Summary:

The POODLE vulnerability is due to a bug in SSL protocol, whereas Heartbleed and Shellshock were vulnerability due to a bug in software.  Heartbleed and Shellshock were confined to systems that ran vulnerable versions of software, whereas POODLE affects any system running any software that implements SSL 3.0, which is a widely implemented protocol used to provide encrypted network transmissions.  This is an “industry-wide” vulnerability.  Of Heartbleed and Shellshock, POODLE is most similar to Heartbleed as both Heartbleed and POODLE exploit vulnerabilities having to do with SSL. 

Q&A:

How serious is this vulnerability when compared with Heartbleed and Shellshock?
The POODLE vulnerability is due to a bug in SSL protocol, whereas Heartbleed and Shellshock were vulnerability due to a bug in software.  Heartbleed and Shellshock were confined to systems that ran vulnerable versions of software, whereas POODLE affects any system running any software that implements SSL 3.0, which is a widely implemented protocol used to provide encrypted network transmissions.  This is an “industry-wide” vulnerability.  Of Heartbleed and Shellshock, POODLE is most similar to Heartbleed as both Heartbleed and POODLE exploit vulnerabilities having to do with SSL.  Heartbleed had the ability to expose the encryption keys used to secure ALL connections to and from a system AND to steal the private keys and impersonate the system remotely. POODLE only has the ability to expose data between two specific systems and requires the attacker to execute a man-in-the-middle attack by either being between the two systems or by exploiting an existing vulnerability in a web server to get a javascript agent to run in the victim’s browser.
 
Can you please detail what the exploit can do potentially, briefly?
The POODLE attack can potentially allow an attacker to decrypt SSL secured network transmissions between two nodes – exposing any data sent between them.  Examples of this could include usernames and passwords used to log into any websites that use SSL 3.0, along with any other sensitive data sent to those websites.  Successful exploitation can only be performed if an attacker that is “between” both ends of the connection.
 
What are the potential risks for organizations? How can this affect them?
The most obvious risk for an organization is exposing sensitive client data for users of their web applications.  However, many organizations rely on external websites and applications to run their day to day business.  For example, a business may manage finances in real time using a provider’s website, or a business may have outsourced IT solutions to a cloud provider and they manage these systems through a web console.  Those connections from the company to these systems could be vulnerable as well.
 
What steps should they be taking to mitigate the risks from this attack?
Disable SSL 3.0 support on all browsers used by all staff within the organization, and disable SSL SSL 3.0 on webservers in favor of TLS.  SSL has a built-in fallback from TLS to SSL 3.0 – thus, this recommendation may cause compatibility problems with legacy systems.
 
Is this the patch from Microsoft addressing this “Poodle” vulnerability?
Yes, it is:  https://technet.microsoft.com/en-us/library/security/3009008.aspx
 
Anything else you’d like to add regarding this vulnerability?
Although it’s an “industry-wide” vulnerability, the attack scenario is quite challenging and not likely to cause wide-spread compromise.  In order to execute a successful attack, the attacker needs to 1) be able to interfere with the client’s initial network connection using TLS to force a “downgrade” to SSL 3.0, 2) be able to cause the client send repeated connections to a ‘known trusted site’, and 3) be able to intercept and modify those packets before transmission to the server.  

Mike Weber

Author

Mike Weber — Vice President, Coalfire Labs

Recent Posts

Post Topics

Archives