POODLE vulnerability in SSL 3.0

Many modern TLS clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding-oracle attack when Cypher-block chaining (CBC) mode is used. This is commonly referred to as the "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack.

Description

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2014-3566 Multiple implementations of SSL 3.0, including the implementation in OpenSSL up to version 1.0.1i, support the use of CBC mode. However, SSL 3.0 is vulnerable to a padding-oracle attack when CBC mode is used. A successful padding-oracle attack can provide an attacker with cleartext information from the encrypted communications. Additionally, many modern TLS clients still support the ability to fall back to the SSL 3.0 protocol in order to communicate with legacy servers. A man-in-the-middle attacker may be able to force the protocol version negotiation sequence to downgrade to SSL 3.0, thereby opening up the opportunity to exploit the padding-oracle attack. For more information, please refer to the original security advisory.

Impact

An adjacent, unauthenticated attacker may be able to derive cleartext information from communications that utilize the SSL 3.0 protocol with CBC mode.

Solution

OpenSSL has fixed the issue in OpenSSL versions 1.0.1j, 1.0.0o, and 0.9.8zc. For other implementations of the protocol, please check with the appropriate maintainer or vendor to determine if the implementation is affected by this issue. Additionally, consider the following workaround:

Use TLS_FALLBACK_SCSV If disabling SSL 3.0 is not possible, TLS client and server implementations should make use of theTLS_FALLBACK_SCSV cipher suite value to prevent man-in-the-middle attackers from forcing unnecessary protocol downgrades.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
OpenSSL	Affected	-	17 Oct 2014
Apache-SSL	Unknown	17 Oct 2014	17 Oct 2014
Apache HTTP Server Project	Unknown	17 Oct 2014	17 Oct 2014
Aruba Networks, Inc.	Unknown	17 Oct 2014	17 Oct 2014
Attachmate	Unknown	17 Oct 2014	17 Oct 2014
Botan	Unknown	17 Oct 2014	17 Oct 2014
Certicom	Unknown	17 Oct 2014	17 Oct 2014
Cryptlib	Unknown	17 Oct 2014	17 Oct 2014
Crypto++ Library	Unknown	17 Oct 2014	17 Oct 2014
EMC Corporation	Unknown	17 Oct 2014	17 Oct 2014
F5 Networks, Inc.	Unknown	17 Oct 2014	17 Oct 2014
GnuTLS	Unknown	17 Oct 2014	17 Oct 2014
IAIK Java Group	Unknown	17 Oct 2014	17 Oct 2014
Legion of the Bouncy Castle	Unknown	17 Oct 2014	17 Oct 2014
libgcrypt	Unknown	17 Oct 2014	17 Oct 2014

If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group	Score	Vector
Base	4.3	AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal	3.6	E:F/RL:OF/RC:C
Environmental	3.6	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

• https://www.openssl.org/~bodo/ssl-poodle.pdf
• https://www.openssl.org/news/secadv_20141015.txt
• https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
• https://www.us-cert.gov/ncas/alerts/TA14-290A

Credit

This document was written by Todd Lewellen.

Other Information

• CVE IDs: CVE-2014-3566
• Date Public: 14 10월 2014
• Date First Published: 17 10월 2014
• Date Last Updated: 17 10월 2014
• Document Revision: 11