Reference: CERT-EU Security Advisory 2014-169 - NEW SSLv3 Padding Oracle On Downgraded Legacy Encryption attack Short Summary - ------------- The SSL protocol 3.0, as used in OpenSSL and other products, uses non-deterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-oracle attack, aka the "POODLE" issue. CVE CVE=C2=AD-2014=C2=AD-3566 Published Oct 15 2014 Impact - ------ POODLE could allow an attacker to hijack and decrypt session cookies that identify users into services and then take over accounts without needing credentials. The attacker would have to control the network that the victim is connected to in order to conduct this kind of man-in-the-middle attack. Technical Description - --------------------- SSL 3.0 is an obsolete and insecure protocol. However, many TLS implementations remain backwards =C2=ADcompatible with SSL 3.0 to interoperate with legacy systems. The protocol handshake provides for authenticated version negotiation, so normally the latest protocol version common to the client and the server will be used. However, even if a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade to work around server=C2=ADside interoperability bugs. Attackers can exploit the downgrade procedure and break the cryptographic security of SSL 3.0. Solutions - --------- The majority of clients have support recent version of TLS. It is recommended to completely disable SSLv3 support on your TLS/SSL servers and clients. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but it might cause compatibility problems. Therefore an optional response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks. Vulnerable Systems - ------------------ SSLv3 support is provided by the following software products. Others may be identified in the future. Apache HTTP server Nginx HTTP server Postfix SMTP server Microsoft IIS Dovecot IMAP Firefox Thunderbird Internet Explorer Safari References - ---------- This POODLE Bites: Exploiting The SSL 3.0 Fallback https://www.openssl.org/~bodo/ssl-poodle.pdf TR-28 - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, are vulnerable to a critical padding oracle attack - CVE-2014-3566 http://www.circl.lu/pub/tr-28/ How POODLE Happened https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383