Radware’s Emergency Response Team (ERT) is reporting a new vulnerability published under CVE 2014-3566 named POODLE (Padding Oracle on Downgraded Legacy Encryption). This SSLv3 POODLE vulnerability can force a client to negotiate SSLv3 instead of TLS and then carry out BEAST (Browser Exploit Against SSL/TLS) attacks to obtain information from an encrypted stream.
What Have We Learned?
Unlike previous vulnerabilities we’ve seen this past year that allowed a hacker to access a server (Heartbleed and Shellshock), this new vulnerability targets clients. POODLE affects SSLv3, which encrypts the data between a user’s browser and the website they are accessing.
As web browsers can use either SSL or TLS, this “man-in-the middle” attack can force a connection to SSLv3, where a hacker can steal session cookies and gain unauthorized access to a user’s web-based email, social networks and other websites. However, for a hacker to do this they need to place themselves in between the user and website. A WiFi hotspot in a public area such as an airport, shopping mall or café is a place that could be used to gain access.
Although SSLv3 is used in older browsers and servers, this aging protocol is still seen as problematic as SSLv3 is still widely supported.
What We Recommend:
As for Data interfaces, our recommendation is to disable SSLv3 to force clients to work with TLS 1.x ciphers as much as possible. Disabling SSLv3 will prevent access from legacy clients.
For Management interface, the risk of exploiting this vulnerability is low since the management traffic is usually isolated from the Data traffic and accessed by trusted users. Nevertheless, limiting the HTTPs management traffic and using SSH as an intermediate mitigation is also an option until a fix will be released.
Long Range Thoughts
The recent vulnerabilities that have emerged highlight the rise in integrity-based attacks that we see at the Radware ERT. These silent and effective attacks are used to not only violate confidentiality, but are also leveraged as stepping points to launch other attacks. The immediate steps to take are to disable SSLv3 and migrate to another viable security protocol, such as TLS or SSH. As more vulnerabilities emerge, our team will continue to take them one-by-one and share our evaluation and recommendations. For more on the POODLE vulnerability, read our full report here.