In what is becoming a worryingly frequent occurrence, a vulnerability has been reported in the SSL protocol used to encrypt connections between web clients and servers. The good news in this case is that the vulnerability occurs in a relatively ancient version of SSL (so old that it was still called SSL, and not the more modern TLS). The bad news is that the way SSL is implemented on modern browsers and other clients means that the ancient protocol is sometimes still used.
Cutely named Poodle (Padding Oracle On Downgraded Legacy Encryption) and officially named CVE-2014-3466, the vulnerability has the potential to allow an attacker to read plaintext versions of data that should be encrypted.
There are two parts to the vulnerability. The first is a problem with SSL 3.0 itself. Because of a error in the specification, it was never made clear how the protocol should handle padding bytes. That mistake means it’s possible for small amounts of plaintext to be read. That’s bad enough, but in an ideal world SSL 3.0 should have been put out to pasture long ago: it has other flaws and is altogether inapt as an encryption protocol on the modern web, which is why everyone uses later versions of TLS if they are able.
Which brings us to the second part of the vulnerability. Back when SSL 3.0 was to be retired, it was discovered that some servers and applications didn’t behave properly when they were asked to use a protocol they didn’t understand, such as the new versions of TLS; so, in an effort to avoid breaking the web, it was decided that browsers would try to use the most recent version of TLS they supported, but if the server said nope, they’d try an older version. In some cases, that means a browser can be forced to degrade its security to the point at which it is using SSL 3.0 and its juicy vulnerability.
By using a man-in-the-middle attack, it’s possible to coerce the browser into using SSL 3.0. This would typically be done by forcing it to connect to a rogue WiFi network in a public place. The person controlling that network could then trick the browser into believing that the online banking service it’s trying to connect to only supports SSL 3.0, following which the attacker could use the padding vulnerability to attempt to read any authentication cookies passing between the banking site and the browser.
This isn’t a behavior inherent in OpenSSL or other TLS implementations, so they’re off the hook for Poodle: the compatibility dance is implemented in browsers.
The obvious solution is to prevent browsers from using SSL 3.0 under any circumstances, which is what most of the browser manufacturers are doing. It would also be great if web service providers stopped using SSL 3.0, and most of them have, but there are a few old applications and routers that still use it.
Poodle isn’t as serious as other recent vulnerabilities like Shellshock and Heartbleed, but if you’re concerned that your CentOS box might be vulnerable, take a look at the official CentOS release.
- Poodle – An SSL 3.0 Vulnerability from RedHat.
- The Poodle Attack and the End of SSL 3.0 from Mozilla.
- This Poodle bites: exploiting the SSL 3.0 fallback, the original announcement from Google.