SSL 3.0 POODLE attack information disclosure Vulnerability(CVE-2014-3566)

• Release date: 2014-10-14
• Update date: 2014-10-16

Affected system:

• Netscape ssl 3.0
• Netscape tls

Not affected system:

• Netscape tls 1.2
• Netscape tls 1.1
• Netscape tls 1.0

Description:

CVE(CAN) ID: CVE-2014-3566

SSL3. 0 is an obsolete and insecure Protocol, has now been TLS 1.0, TLS 1.1, TLS 1.2 alternative, because of compatibility reasons, most TLS implementations remain compatible with SSL3. To 0.

For commonality considerations, currently most browsers version support SSL3. 0, TLS Protocol handshake phase contains a version negotiation step, in General, the client and server to the latest version of the Protocol will be used. Its in the server side of the handshake phase for version negotiation, first offer its support agreement to the latest version, if the handshake fails, then try with the older version of the Protocol negotiation. Be able to implement man in the middle attacks the attacker by making the affected versions of the browser and the server using newer Protocol negotiation failed connection, you can successfully achieve a downgrade attack, so that the client and the server using the insecure SSL3. 0 communicate, in this case, since the SSL 3.0 use of CBC block encryption implementation vulnerability exists, an attacker can successfully crack the SSL connections encrypt the information, such as access to user cookie data. This attack is called POODL attack(Padding Oracle On Downgraded Legacy Encryption) is.

This vulnerability affected the vast majority of SSL server and client, the impact of a wide range. But the attacker as to the use of successful, need to be able to control the client and server between the data(perform a MiTM attack).

How to fix POODLE SSLv3 security vulnerability (CVE-2014-3566) http://www.linuxidc.com/Linux/2014-10/108103.htm

Recommendations

Temporary workaround:

If you can not immediately install patches or upgrades, NSFOCUS recommend that you take the following measures to reduce the threat:

• Disable the SSL 3.0 Protocol.

The current popular browsers, only IE 6.0 still does not support TLS 1.0, disable SSL 3.0 Protocol will affect IE 6 clients SSL access.

The service end of the Disable method:

Apache 2. x

In the mod_ssl configuration file use the following command to disable SSLv2 and SSLv3 with: SSLProtocol All-SSLv2-SSLv3 Restart Apache

Nginx

In the configuration file to use: ssl_protocols TLSv1 TLSv1. 1 TLSv1. 2; Restart Nginx

IIS

Find the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols This registry key usually contains the following sub-items:

• PCT 1.0
• SSL 2.0
• SSL 3.0
• TLS 1.0

Each of the registry entries are reserved for in the Protocol-related information. Can be on the server, disable these protocols in any one. To do this, the Protocol SSL 3.0, the server subkey create a new DWORD Value. The DWORD value is set to“00 00 00 00”it.

Browser disable method:

IE: “Tools” -> “Internet Options” -> “Advanced”, uncheck"use SSL 3.0"check box.

Chrome:

Copy a usually open Chrome browser shortcuts, the new shortcut on right-click, Go into properties, In the"target"behind the spaces in the end of the field, enter the following command --ssl-version-min=tls1

FireFox:

In the address bar enter"about:config", and then the security. tls. version. min adjusted to 1.

Reference:

• https://www.openssl.org/~bodo/ssl-poodle. pdf
• http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
• https://technet.microsoft.com/en-us/library/security/3009008