Thursday, October 16, 2014

One dog you don’t want to pet…

Poodles are great dogs, but a few days ago we all learned of one you sure don’t want to pet. The POODLE exploit, also known as CVE-2014-3566, was reported and documented in September and once again reminds us that making compromises in the world of security can end up biting us.

The actual attack that we are referring to here is known as “Padding Oracle”, and it’s quite old…over a decade old, in fact. It was reported back in 2002, at a time where SSL 3.0 was already “old” (6 years old is a lot in computer time, right?). SSL 3 was already replaced by TLS 1.0 15 years ago (2002) and since then TLS 1.1 and TLS 1.2 and these days, SSL 3.0 is rarely used. Even Windows XP is set to prefer TLS.

So Padding Oracle is old and pretty much all servers and clients are designed to give preference to TLS which isn’t sensitive to this sort of attack…but things are not that simple. Pretty much all clients and servers are designed to negotiate the encryption technology they use when connecting, and fallback to older protocols when unable to use new ones. This would allow a web server to drop from TLS 1.2 to TLS 1.1 if it talks to a client that is too old to support TLS 1.2, or vice versa. Fallback is of particular importance to public servers because they usually cannot afford to rule-out older clients.

With pretty much all servers and clients allowing protocol negotiation and fallback by default, and having SSL 3 as an available option, the world now has to deal with POODLE. All the attacker has to do is interfere with the connection during the protocol negotiation, and force the client and server to negotiate down to SSL 3.0…and then exploit the Padding Oracle vulnerability in it. This interference is not very simple, but can be done if the attacker has some control over the network.

Ultimately, having both control over the network to force SSL 3 and the ability to exploit Padding Oracle together isn’t very trivial, and that’s why this issue is not considered to be as high of a risk as HeartBleed and other recent security vulnerabilities, but it does need to be addressed and more importantly, we need to keep this in mind when designing or configuring systems. Keeping old protocols in place is comfortable and re-assuring, but can also turn out to be a gaping hole in our security.


What to do about POODLE?

POODLE can be used only if both client and server are configured to fallback to SSL 3.0, but clients cannot trust all servers to do so or vice versa, so both server owners and users should take steps to prevent it. Browser vendors are working on updating their products, but until they do, you can disable SSL 3.0 at the operating system level. For example, Digicert have published this article, describing doing this on Windows, which is quite simple to do. You can read more about POODLE and how it works here.

No comments: