New Flaw: POODLE Puts Browsers at RiskSecurity Experts Recommend Disabling Outdated SSL Support
Millions of browsers may be vulnerable to a cryptographic flaw that hackers could exploit to steal session cookies and impersonate users, as well as to crack previously encrypted Web traffic.
The Padding Oracle On Downgraded Legacy Encryption - or POODLE - flaw was first publicly confirmed Oct. 14, after nearly a week's worth of related rumors. The flaw, which was discovered by Google security researchers Bodo MÃ¶ller, Thai Duong and Krzysztof Kotowicz, exists in version 3 of Secure Sockets Layer, or SSL, which is a 15-year-old cryptographic protocol that's designed to secure Internet communications. While SSL is outdated and was replaced by Transport Layer Security version 1, most browsers still remain compatible with SSL and are vulnerable to attacks that target the flaw.
"The risk from this vulnerability is that if an attacker could force a downgrade to SSLv3, then any traffic exchanged over an encrypted connection using that protocol could be intercepted and read," says Matthew Prince, CEO of distributed-denial-of-service defense firm CloudFlare, in a blog post.
"This is known as a cypher suite rollback attack," says Jean Taggart, a senior security researcher at anti-malware developer Malwarebytes.
The SANS Institute's Internet Storm Center has created a free Poodle Test site that can be used to see if a browser supports SSL 3.0, and thus may be vulnerable to related attacks. The test page returns a Poodle for vulnerable browsers, and a Springfield Terrier if not. For testing to see if servers are vulnerable to related attacks, SANS Institute recommends using the free SSL Server Test from vulnerability management vendor Qualys.
Whereas the recently discovered flaws in Bash - known as Shellshock - as well as the OpenSSL Heartbleed flaws could be used to target servers, POODLE can be used to target clients, such as Web browsers running on PCs, smart phones, or browsers that are hard-coded into Internet of Things devices.
One caveat, however, is that the flaw can only be exploited via man-in-the-middle attacks, meaning an attacker would need to be able to tap into the lines of communication between a client and a server. "This means you are probably safe from hackers at home, because hackers can't tap backbone links," says Robert David Graham, president of offensive security research firm Errata Security, in a blog post. "But, since the NSA can tap into such links, it's probably easy for them. However, when using the local Starbucks or other unencrypted WiFi, you are in grave danger from this hack from hackers sitting the table next to you."
No Patch for SSL
The POODLE problem - officially designated as CVE-2014-3566 - has to do with SSL version 3 itself, rather than any company's particular implementation of that protocol. "It's the standard protocol that is vulnerable, not anybody's code," Graham says. "Essentially, they got the math wrong."
"SSL got encryption and authentication the wrong way around - it authenticates before encrypting," says Google security engineer Adam Langley in a blog post.
How to Neutralize POODLE
The simple fix for POODLE is to disable SSL 3.0 support on all browsers and servers. "Disable SSLv3," says Johannes Ullrich, dean of research for the SANS Institute, in a blog post. "There is no patch for this. SSLv3 has reached the end of its useful life and should be retired."
Microsoft released a partial fix Oct. 14 for supported versions of Windows 7, 8, 8.1 and RT, as well as Windows Server 2008 R2 and 2012. "This patch enables support for TLS1.1 and 1.2, thus moving away [from] these older, vulnerable cypher suites," Taggart at Malwarebytes says. "Disabling support for the vulnerable [SSL] versions is also required to address this vulnerability," and Microsoft has released related recommendations.
CloudFlare has also begun blocking SSL 3.0 by default for all of its customers. But that approach can have repercussions. "This will have an impact on some older browsers, resulting in an SSL connection error," Prince says. "The biggest impact is Internet Explorer 6 running on Windows XP or older," which will see an SSL error message instead of the Web page the user is attempting to load.
As a reality check, however, Prince says only 0.09 percent of all traffic CloudFlare sees is SSLv3, while 0.65 percent of HTTPS traffic uses SSLv3. "The good news is most of that traffic is actually attack traffic and some minor crawlers," he says. Furthermore, while 3 percent of CloudFlare's traffic is from Windows XP users, only 1 percent of them use SSLv3. "In other words, even on an out-of-date operating system, 98.88 percent [of] Windows XP users connected using TLSv1.0+ - which is not vulnerable to this vulnerability."
Fallback for Servers
Disabling SSL 3.0 outright on some servers, however, may also create interoperability problems. In that case, one option is to update servers to support TLS_FALLBACK_SCSV, the Google researchers say in a blog post. "This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0," they say. "It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks."
Google says it's been using TLS_FALLBACK_SCSV on its servers since February and hasn't seen compatibility problems. On Oct. 14, meanwhile, Google said it began running tests for its Chrome browser that remove the SSLv3 fallback capability. "This change will break some sites, and those sites will need to be updated quickly," the Google researchers warn.
Probably less than 1% of HTTPS traffic uses SSL v3 but that's still a significant number so please put it out of our misery and disable it.ï¿½ Alan Woodward (@ProfWoodward) October 15, 2014
(News Writer Jeffrey Roman also contributed to this story.)