MCNC Security Advisory 2014.004

Attack Against SSL Version 3.0 Can Lead to Exposure of Sensitive Data

General Information

Executive Summary

A weakness has been identified in version 3.0 of the SSL protocol used to encrypt and secure connections between connected systems on the Internet. Attackers can leverage this weakness to steal information from encrypted sessions.

Normally, when a session is encrypted, an attacker cannot access data within the session (unless they have somehow obtained access to the encryption keys). A newly identified attack method, referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to extract sensitive data from within an encrypted session without the encryption keys. This is a serious issue because users can no longer trust that sensitive data within an encrypted session is secure.

Advisory Details

Details of the Issue

The POODLE issue is serious, but it is also complicated. There are some mitigating factors that can lessen the likelihood of a successful attack, but the impact can be quite serious.

The issue is actually two separate, but related weaknesses that are leveraged to conduct a successful attack. The first issue is a weakness in version 3.0 of the SSL protocol that allows an attacker to steal sensitive information from within encrypted sessions. The full technical details of the weakness and the attack are explained here: https://www.imperialviolet.org/2014/10/14/poodle.html.

On it’s own, this attack simply means that version 3.0 of the SSL protocol is no longer trustworthy for securing sessions between systems. This information is not surprising as SSL v3.0 is 15 years old and is known to be obsolete. It has been replaced by a protocol called TLS that was designed to secure sessions between systems.

The problem in this case is also due to a second weakness referred to as SSL/TLS Version Selection Fallback. When a client using SSL/TLS wishes to make a secure connection to a server, it will let the server know what version of TLS or SSL it can support for securing the session. The server will respond to the client indicating what it can support, and the two systems will agree on the protocol and version that they will use for the session. This negotiation allows systems to support newer protocols (such as TLS v1.2), while also maintaining the ability to support communicating with older systems that may only support older protocols (SSL v3.0).

In the case of the POODLE attack, the attacker leverages a position in the middle of the network to intercept the communications between the client and the server, and force them to negotiate down to the SSL v3.0 protocol. Once the session begins, now using SSL v3.0, the attacker can leverage the attack technique described above to extract sensitive information from the encrypted session.

Suggested Actions

There is no way to “fix” this issue within SSL v3.0. The only way to eliminate the weakness is to disable support for SSL v3.0, and instead use only the newer TLS protocols. The TLS protocols are not vulnerable to the weaknesses that allow the POODLE attack to succeed.

Because the POODLE attack relies on manipulating both clients and servers into using the weak SSL v3.0 protocol, support for it must be disabled on both sides of the connection (client and server).

However, disabling SSL v3.0 may be challenging in some environments. Systems that cannot be updated to support only modern TLS protocols will no longer function if SSL v3.0 is disabled. Older browsers such as Internet Explorer 6 do not support TLS. If you operate a server and disable SSL v3.0, legacy clients may no longer be able to access your server. If you disable SSL v3.0 in your browser, you may not be able to connect to legacy servers that only support SSL v3.0.

Disable Support for SSL v3.0 in Your Servers If you operate a server that provides SSL or TLS services, ensure that support for SSL v3.0 is disabled. You will need to develop a plan to deal with legacy client systems that do not support TLS v1.0 or greater. Microsoft Internet Explorer v6.0 is the only major web browser with significant deployment that does not support TLS v1.0 or greater.

Disable Support for SSL v3.0 in Your Web Browsers If your web browser supports SSL v3.0, it can be forced into SSL/TLS Version Selection Fallback and can be made vulnerable. To ensure that your web browsers are protected, you should configure them such that support for SSL v3.0 is disabled.

See the article below for step-by-step instructions on how to disable SSL v3.0 support in Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer:

http://www.tomsguide.com/us/poodle-fix-how-to,news-19775.html

Additional Information

 

  1. https://www.openssl.org/~bodo/ssl-poodle.pdf
  2. http://blog.erratasec.com/2014/10/some-poodle-notes.html
  3. https://blogs.akamai.com/2014/10/ssl-is-dead-long-live-tls.html
  4. https://www.imperialviolet.org/2014/10/14/poodle.html
  5. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  6. http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html


Revisions

  • v1 (October 15, 2014): Advisory published.

 

Tags