Open main menu

Wikipedia β

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.[1][2][3] If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" [1]).[4] Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks.[5] On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.[6]

The CVE-ID associated with the original POODLE attack is CVE-2014-3566. F5 Networks filed for CVE-2014-8730 as well, see POODLE attack against TLS section below.

Contents

Exploitation of graceful degradationEdit

POODLE exemplifies a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability. When designing systems in domains with high levels of fragmentation, then, extra care is appropriate. In such domains graceful security degradation may become common.[7]

PreventionEdit

To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above. Thus, the authors of the paper on POODLE attacks also encourage browser and server implementation of TLS_FALLBACK_SCSV,[8] which will make downgrade attacks impossible.[1][9]

Another mitigation is to implement "anti-POODLE record splitting". It splits the records into several parts and ensures none of them can be attacked. However the problem of the splitting is that, though valid according to the specification, it may also cause compatibility issues due to problems in server-side implementations.[10] Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.[11]

Google's Chrome browser and their servers already support TLS_FALLBACK_SCSV. Google stated in October, 2014 it is planning to remove SSL 3.0 support from their products completely within a few months.[9] Fallback to SSL 3.0 has been disabled in Chrome 39, released in November 2014.[12] SSL 3.0 has been disabled by default in Chrome 40, released in January 2015.[13]

Mozilla has disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released in December 2014, and has added support of TLS_FALLBACK_SCSV in Firefox 35.[14]

Microsoft has published a security advisory to explain how to disable SSL 3.0 in Internet Explorer and Windows OS,[15] and on October 29, 2014, Microsoft released a "Fix it" which disables SSL 3.0 in Internet Explorer on Windows Vista / Server 2003 and above and announced a plan to disable SSL 3.0 by default in their products and services within a few months.[16] Microsoft disabled fallback to SSL 3.0 in Internet Explorer 11 for Protect Mode sites on February 10, 2015.[17] Microsoft disabled SSL 3.0 by default in IE 11 on April 14, 2015.[18]

Apple's Safari (on OS X 10.8, iOS 8.1 and later) has been mitigated against POODLE by removing support for all CBC protocols in SSL 3.0,[19][20] however, this leaves only RC4 which is also completely broken by the RC4 attacks in SSL 3.0.[citation needed]

To prevent the POODLE attack, some web services have dropped support of SSL 3.0. Examples include CloudFlare[21] and Wikimedia.[22]

NSS version 3.17.1, released on October 3, 2014, and 3.16.2.3, released on October 27, 2014, introduced support for TLS_FALLBACK_SCSV,[23][24] and NSS will disable SSL 3.0 by default in April 2015.[25] OpenSSL versions 1.0.1j, 1.0.0o and 0.9.8zc, released on October 15, 2014, introduced support for TLS_FALLBACK_SCSV.[26] LibreSSL version 2.1.1, released on October 16, 2014, disabled SSL 3.0 by default.[27]

POODLE attack against TLSEdit

A new variant of the original POODLE attack was announced on December 8, 2014. This attack exploits implementation flaws of CBC encryption mode in the TLS 1.0 - 1.2 protocols. Even though TLS specifications require servers to check the padding, some implementations fail to validate it properly, which makes some servers vulnerable to POODLE even if they disable SSL 3.0.[6] SSL Pulse showed "about 10% of the servers are vulnerable to the POODLE attack against TLS" before this vulnerability is announced.[28] The CVE-ID for F5 Networks' implementation bug is CVE-2014-8730. The entry in NIST's NVD states that this CVE-ID is to be used only for F5 Networks' implementation of TLS, and that other vendors whose products have the same failure to validate the padding mistake in their implementations like A10 Networks and Cisco Systems need to issue their own CVE-IDs for their implementation errors because this is not a flaw in the protocol itself and is a flaw in the protocol's implementation.

The POODLE attack against TLS was found to be easier to initiate than the initial POODLE attack against SSL. There is no need to downgrade clients to SSL 3.0, meaning fewer steps are needed to execute a successful attack. [29]

ReferencesEdit

  1. ^ a b c Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF). 
  2. ^ Bright, Peter (October 15, 2014). "SSL broken, again in POODLE attack". Ars Technica. 
  3. ^ Brandom, Russell (October 14, 2014). "Google researchers reveal new Poodle bug, putting the web on alert". 
  4. ^ "Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback". Google Online Security Blog. Retrieved June 1, 2015. 
  5. ^ Finkle, Jim (October 15, 2014). "New Poodle web threat not seen as menacing as Heartbleed, Shellshock". Reuters. Reuters. Retrieved October 15, 2014. 
  6. ^ a b Langley, Adam (December 8, 2014). "The POODLE bites again". Retrieved December 8, 2014. 
  7. ^ Hagai Bar-El. "Poodle flaw and IoT". Retrieved October 15, 2014. 
  8. ^ B. Moeller, A. Langley (April 2015). "RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks". IETF. 
  9. ^ a b Möller, Bodo (October 14, 2014). "This POODLE bites: exploiting the SSL 3.0 fallback". Google Online Security blog. Google (via Blogspot). Retrieved October 15, 2014. 
  10. ^ Langley, Adam (October 14, 2014). "POODLE attacks on SSLv3". imperialviolet.org. Retrieved October 16, 2014. 
  11. ^ Molland, Håvard (October 15, 2014). "Security changes in Opera 25; the poodle attacks". Opera security blog. Opera. Retrieved October 16, 2014. 
  12. ^ Ilascu, Ionut. "Chrome 39 Disables SSLv3 Fallback, Awards $41,500 / €33,000 in Bounties". Softpedia. Retrieved 3 December 2014. 
  13. ^ "Issue 693963003: Add minimum TLS version control to about:flags and Finch gate it. - Code Review". Retrieved 2015-04-16. 
  14. ^ "The POODLE Attack and the End of SSL 3.0". Mozilla blog. Mozilla. October 14, 2014. Retrieved October 15, 2014. 
  15. ^ "Vulnerability in SSL 3.0 Could Allow Information Disclosure". Microsoft TechNet. Microsoft. October 14, 2014. Retrieved October 15, 2014. 
  16. ^ "Security Advisory 3009008 revised". Microsoft TechNet. Microsoft. October 29, 2014. Retrieved October 30, 2014. 
  17. ^ Oot, Alec (December 9, 2014). "December 2014 Internet Explorer security updates & disabling SSL 3.0 fallback". Microsoft. Retrieved 9 December 2014. 
  18. ^ "February 2015 security updates for Internet Explorer". IEBlog. April 14, 2015. Retrieved 15 April 2015. 
  19. ^ "About Security Update 2014-005". apple.com. Retrieved June 1, 2015. 
  20. ^ "About the security content of iOS 8.1". apple.com. Retrieved June 1, 2015. 
  21. ^ Prince, Matthew (October 14, 2014). "SSLv3 Support Disabled By Default Due to POODLE Vulnerability". Cloudflare blog. Cloudflare. Retrieved October 15, 2014. 
  22. ^ Bergsma, Mark (October 17, 2014). "Protecting users against POODLE by removing SSL 3.0 support". Wikimedia blog. Wikimedia Foundation. Retrieved October 17, 2014. 
  23. ^ "NSS 3.17.1 release notes". Mozilla. October 3, 2014. Retrieved October 27, 2014. 
  24. ^ "NSS 3.16.2.3 release notes". Mozilla. October 27, 2014. Retrieved October 27, 2014. 
  25. ^ "Disable SSL 3 by default in NSS in April 2015.". mozilla.dev.tech.crypto. October 27, 2014. Retrieved October 27, 2014. 
  26. ^ "OpenSSL Security Advisory [15 Oct 2014]". OpenSSL. October 15, 2014. Retrieved October 20, 2014. 
  27. ^ "LibreSSL 2.1.1 released.". LibreSSL. October 16, 2014. Retrieved October 20, 2014. 
  28. ^ Ristic, Ivan (December 8, 2014). "Poodle Bites TLS". Retrieved December 8, 2014. 
  29. ^ Stosh, Brandon (December 8, 2014). "Nasty POODLE Variant Bypasses TLS Crypto Affecting Over 10 Percent of the Web". Retrieved December 8, 2014. 

External linksEdit