Tame that POODLE: Managing the Latest SSL Vulnerability

Last week the OpenSSL project released an advisory that describes a new SSL vulnerability. Now commonly known as “POODLE” ("Padding Oracle On Downgraded Legacy Encryption"), this vulnerability is less dangerous that its predecessor, the Heartbleed bug—primarily because of the conditions needed to exploit it (see below). 

POODLE is essentially an attack on the SSLv3 protocol. It was discovered in September (and published on October 14) by Google employees Bodo Möller, Thai Duong, and Krzysztof Kotowicz.

Browser vendors are in the process of disabling SSLv3. In the meantime, Cradlepoint highly recommends that you install our most recent upgrade to router firmware version 5.2.4.

The Man in the Middle
As noted on the Stack Exchange, POODLE is a protocol flaw, not an implementation issue. Every implementation of SSL 3.0 is vulnerable to it.
The vulnerability depends on the existence of a “Man in the Middle” between users and the servers they are trying to talk to—most commonly achieved when someone accesses their network through a public WiFi hot spot.

The POODLE attack depends on the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSLv3. Most browsers will fall back to a modern encryption protocol such as TLSv1.2. But they can also to default all the way back to SSLv3, which is quite old by Internet standards (it is native to IE Version 6, which makes it about 15 years old). So browser companies are now taking steps to completely disable SSLv3. By shutting down SSLv3, they will be closing the door to a host of other potential vulnerabilities.

Additional Steps to Protect Your Network
In addition to installing our firmware upgrade, we also recommend the following:

  • Customers utilizing Cradlepoint router remote management feature should disable it in order to prevent exploitation via POODLE. If you’re unsure if remote management is enabled or not, please consult our Knowledge Base article on Remote Management.
  • WiPipe Central and NetCloud Manager (NCM) customers should not use Internet Explorer 6 when connecting to WiPipe Central or NetCloud Manager, or they should disable SSL3 in client browsers until a complete evaluation can be performed.

A Victory for Open Source
The fact that POODLE was discovered supports the popular wisdom of using open source software. If SSL had been built using proprietary software, vulnerabilities like this may never have been detected or be sold as a 0-day exploit in the secret but legal exploit market.  Of course open source products could be the targets as well. But since the general public and especially security researchers (including Moller, Duong, and Kotowicz) have access to the OpenSSL source code, there is a much greater chance that weaknesses like POODLE will be unearthed by the researchers that support those projects.

For More Information on POODLE
The U.S. CERT (the Department of Homeland Security's United States Computer Emergency Readiness Team) describes POODLE as an:

SSL 3.0 vulnerability [that] stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack.

Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as a Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.

These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.