CVE-2014-3566 "Poodle" — Another Serious Vulnerability in SSL
The CVE-2014-3566 POODLE vulnerability exposes SSL 3.0 to serious exploits, allowing attackers to access sensitive data through SSL downgrade attacks. Immediate action is required to mitigate risks in affected systems.
Today, Google researchers released a description of a new vulnerability in SSL 3.0 (RFC6101), which allows attackers to access transmitted data. The vulnerability has been named POODLE (Padding Oracle On Downgraded Legacy Encryption), CVE-2014-3566. Nearly all available HTTPS implementations are susceptible, making it particularly dangerous for critical applications. This vulnerability arose not from a coding error, but a design flaw in the protocol, making a regular patch insufficient.
To exploit this vulnerability, attackers must first emulate an incompatibility in secure connection implementations between the client and server, prompting the client software to downgrade from more secure TLS protocols to SSL 3.0 — the so-called “downgrade dance.” After this, attackers can access critical information, such as headers storing authentication data in cookies. The attack can be executed via a Man-in-the-Middle scheme, where the hacker intercepts and modifies the information between the client and server.
Browsers, web servers, mail servers, and other applications using SSL 3.0 are vulnerable.
The Mozilla Foundation has already issued a statement that in the next version of Firefox 34, support for SSL 3.0 will be disabled by default. Similar changes are planned by Google for Chrome.
As a temporary mitigation, SSL 3.0 can be disabled on web servers and applications using SSL/TLS for encrypted data exchange. However, this may lead to compatibility issues with older applications.
Recommendations for nginx
Disable SSL 3.0 by adding the following option to the HTTPS server configuration:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Recommendations for Apache
Find the HTTPS server configuration files and add the following directive:
SSLProtocol All -SSLv2 -SSLv3
Postfix Mail Server
If Postfix is configured to use only encrypted connections, add the following directive to the configuration file:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
OpenVPN and Applications Using OpenVPN
Currently, it is not possible to ban a certain encryption protocol in OpenVPN. Recommendations for changing the configuration of OpenVPN servers or clients are expected soon.
Additional Information:
Need Help?
Our support team is available 24/7 to assist you with any questions or issues.
Contact Support