[SECURITY-L] [TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack]

CSIRT - UNICAMP security em unicamp.br
Sex Out 17 16:33:00 -03 2014 

-------- Forwarded Message --------
Subject: 	TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack
Date: 	Fri, 17 Oct 2014 13:08:28 -0500
From: 	US-CERT <US-CERT em ncas.us-cert.gov>
Reply-To: 	US-CERT em ncas.us-cert.gov



TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack

NCCIC / US-CERT

National Cyber Awareness System:

TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack
<https://www.us-cert.gov/ncas/alerts/TA14-290A>
10/17/2014 12:27 PM EDT

Original release date: October 17, 2014


      Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0
with cipher-block chaining (CBC) mode ciphers may be vulnerable.
However, the POODLE (Padding Oracle On Downgraded Legacy Encryption)
attack demonstrates this vulnerability using web browsers and web
servers, which is one of the most likely exploitation scenarios.


      Overview

US-CERT is aware of a design vulnerability found in the way SSL 3.0
handles block cipher mode padding. The POODLE attack demonstrates how an
attacker can exploit this vulnerability to decrypt and extract
information from inside an encrypted transaction.


      Description

The SSL 3.0 vulnerability stems from the way blocks of data are
encrypted under a specific type of encryption algorithm within the SSL
protocol. The POODLE attack takes advantage of the protocol version
negotiation feature built into SSL/TLS to force the use of SSL 3.0 and
then leverages this new vulnerability to decrypt select content within
the SSL session. The decryption is done byte by byte and will generate a
large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been
replaced by Transport Layer Security (TLS) (which is not vulnerable in
this way), most SSL/TLS implementations remain backwards compatible with
SSL 3.0 to interoperate with legacy systems in the interest of a smooth
user experience. Even if a client and server both support a version of
TLS the SSL/TLS protocol suite allows for protocol version negotiation
(being referred to as the “downgrade dance” in other reporting). The
POODLE attack leverages the fact that when a secure connection attempt
fails, servers will fall back to older protocols such as SSL 3.0. An
attacker who can trigger a connection failure can then force the use of
SSL 3.0 and attempt the new attack. [1
<https://www.openssl.org/%7Ebodo/ssl-poodle.pdf>]

Two other conditions must be met to successfully execute the POODLE
attack: 1) the attacker must be able to control portions of the client
side of the SSL connection (varying the length of the input) and 2) the
attacker must have visibility of the resulting ciphertext. The most
common way to achieve these conditions would be to act as
Man-in-the-Middle (MITM), requiring a whole separate form of attack to
establish that level of access.

These conditions make successful exploitation somewhat difficult.
Environments that are already at above-average risk for MITM attacks
(such as public WiFi) remove some of those challenges.


      Impact

The POODLE attack can be used against any system or application that
supports SSL 3.0 with CBC mode ciphers. This affects most current
browsers and websites, but also includes any software that either
references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the
SSL/TLS protocol suite itself. By exploiting this vulnerability in a
likely web-based scenario, an attacker can gain access to sensitive data
passed within the encrypted web session, such as passwords, cookies and
other authentication tokens that can then be used to gain more complete
access to a website (impersonating that user, accessing database
content, etc.).


      Solution

There is currently no fix for the vulnerability SSL 3.0 itself, as the
issue is fundamental to the protocol; however, disabling SSL 3.0 support
in system/application configurations is the most viable solution
currently available.

Some of the same researchers that discovered the vulnerability also
developed a fix for one of the prerequisite conditions;
TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers
from being able to force a protocol downgrade. OpenSSL has added support
for TLS_FALLBACK_SCSV to their latest versions and recommend the
following upgrades: [2 <https://www.openssl.org/news/secadv_20141015.txt>]

  * OpenSSL 1.0.1 users should upgrade to 1.0.1j.
  * OpenSSL 1.0.0 users should upgrade to 1.0.0o.
  * OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent
downgrade attacks.

Other SSL 3.0 implementations are most likely also affected by POODLE.
Contact your vendor for details. Additional vendor information may be
available in the National Vulnerability Database (NVD) entry for
CVE-2014-3566. [3
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566>]


      References

  * [1] This Poodle Bites: Exploiting The SSL Fallback
    <https://www.openssl.org/%7Ebodo/ssl-poodle.pdf>
  * [2] OpenSSL Security Advisory [15 Oct 2014]
    <https://www.openssl.org/news/secadv_20141015.txt>
  * [3] Vulnerability Summary for CVE-2014-3566
    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566>


      Revision History

  * October 17, 2014 Initial Release

------------------------------------------------------------------------

This product is provided subject to this Notification
<http://www.us-cert.gov/privacy/notification> and this Privacy & Use
<http://www.us-cert.gov/privacy/> policy.

------------------------------------------------------------------------

----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L