POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.[1][2][3] If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" [1]).[4] On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.[5]
CVE identifier(s) | CVE-2014-3566 |
---|---|
Date discovered | October 14, 2014 |
Discoverer | Bodo Möller, Thai Duong, Krzysztof Kotowicz (Google Security Team) |
Affected software | Any software that supports a fallback to SSL 3.0 |
The CVE-ID associated with the original POODLE attack is CVE-2014-3566. F5 Networks filed for CVE-2014-8730 as well, see POODLE attack against TLS section below.
Exploitation of graceful degradation
POODLE exemplifies a vulnerability that succeeds because of a mechanism designed for reducing security for the sake of interoperability. When designing systems in domains with high levels of fragmentation, then, extra care is appropriate. In such domains, graceful security degradation may become common.[6]
Prevention
To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above. Thus, the authors of the paper on POODLE attacks also encourage browser and server implementation of TLS_FALLBACK_SCSV,[7] which will make downgrade attacks impossible.[1][8]
Another mitigation is to implement "anti-POODLE record splitting". It splits the records into several parts and ensures none of them can be attacked. However the problem of the splitting is that, though valid according to the specification, it may also cause compatibility issues due to problems in server-side implementations.[9]
A full list of browser versions and levels of vulnerability to different attacks (including POODLE) can be found in the article Transport Layer Security.
Opera 25 implemented this mitigation in addition to TLS_FALLBACK_SCSV.[10]
Google's Chrome browser and their servers had already supported TLS_FALLBACK_SCSV. Google stated in October 2014 it was planning to remove SSL 3.0 support from their products completely within a few months.[8] Fallback to SSL 3.0 has been disabled in Chrome 39, released in November 2014.[11] SSL 3.0 has been disabled by default in Chrome 40, released in January 2015.[12]
Mozilla disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released in December 2014, and added support of TLS_FALLBACK_SCSV in Firefox 35.[13]
Microsoft published a security advisory to explain how to disable SSL 3.0 in Internet Explorer and Windows OS,[14] and on October 29, 2014, Microsoft released a fix which disables SSL 3.0 in Internet Explorer on Windows Vista / Server 2003 and above and announced a plan to disable SSL 3.0 by default in their products and services within a few months.[15] Microsoft disabled fallback to SSL 3.0 in Internet Explorer 11 for Protect Mode sites on February 10, 2015,[16] and for other sites on April 14, 2015.[17]
Apple's Safari (on OS X 10.8, iOS 8.1 and later) mitigated against POODLE by removing support for all CBC protocols in SSL 3.0,[18][19] however, this left RC4 which is also completely broken by the RC4 attacks in SSL 3.0.. POODLE was completely mitigated in OS X 10.11 (El Capitan 2015) and iOS 9 (2015).
To prevent the POODLE attack, some web services dropped support of SSL 3.0. Examples include CloudFlare[20] and Wikimedia.[21]
Network Security Services version 3.17.1 (released on October 3, 2014) and 3.16.2.3 (released on October 27, 2014) introduced support for TLS_FALLBACK_SCSV,[22][23] and NSS will disable SSL 3.0 by default in April 2015.[24] OpenSSL versions 1.0.1j, 1.0.0o and 0.9.8zc, released on October 15, 2014, introduced support for TLS_FALLBACK_SCSV.[25] LibreSSL version 2.1.1, released on October 16, 2014, disabled SSL 3.0 by default.[26]
POODLE attack against TLS
A new variant of the original POODLE attack was announced on December 8, 2014. This attack exploits implementation flaws of CBC encryption mode in the TLS 1.0 - 1.2 protocols. Even though TLS specifications require servers to check the padding, some implementations fail to validate it properly, which makes some servers vulnerable to POODLE even if they disable SSL 3.0.[5] SSL Pulse showed "about 10% of the servers are vulnerable to the POODLE attack against TLS" before this vulnerability was announced.[27] The CVE-ID for F5 Networks' implementation bug is CVE-2014-8730. The entry in NIST's NVD states that this CVE-ID is to be used only for F5 Networks' implementation of TLS, and that other vendors whose products have the same failure to validate the padding mistake in their implementations like A10 Networks and Cisco Systems need to issue their own CVE-IDs for their implementation errors because this is not a flaw in the protocol but in the implementation.
The POODLE attack against TLS was found to be easier to initiate than the initial POODLE attack against SSL. There is no need to downgrade clients to SSL 3.0, meaning fewer steps are needed to execute a successful attack.[28]
References
- Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF).
- Bright, Peter (October 15, 2014). "SSL broken, again in POODLE attack". Ars Technica.
- Brandom, Russell (October 14, 2014). "Google researchers reveal new Poodle bug, putting the web on alert".
- "Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback". Google Online Security Blog. Retrieved June 1, 2015.
- Langley, Adam (December 8, 2014). "The POODLE bites again". Retrieved December 8, 2014.
- Hagai Bar-El. "Poodle flaw and IoT". Retrieved October 15, 2014.
- B. Moeller, A. Langley (April 2015). "RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks". IETF.
- Möller, Bodo (October 14, 2014). "This POODLE bites: exploiting the SSL 3.0 fallback". Google Online Security blog. Google (via Blogspot). Retrieved October 15, 2014.
- Langley, Adam (October 14, 2014). "POODLE attacks on SSLv3". imperialviolet.org. Retrieved October 16, 2014.
- Molland, Håvard (October 15, 2014). "Security changes in Opera 25; the poodle attacks". Opera security blog. Opera. Retrieved October 16, 2014.
- Ilascu, Ionut. "Chrome 39 Disables SSLv3 Fallback, Awards $41,500 / €33,000 in Bounties". Softpedia. Retrieved December 3, 2014.
- "Issue 693963003: Add minimum TLS version control to about:flags and Finch gate it". Chromium Code Reviews. Retrieved April 16, 2015.
- "The POODLE Attack and the End of SSL 3.0". Mozilla blog. Mozilla. October 14, 2014. Retrieved October 15, 2014.
- "Vulnerability in SSL 3.0 Could Allow Information Disclosure". Microsoft TechNet. Microsoft. October 14, 2014. Retrieved October 15, 2014.
- "Security Advisory 3009008 revised". Microsoft TechNet. Microsoft. October 29, 2014. Retrieved October 30, 2014.
- Oot, Alec (December 9, 2014). "December 2014 Internet Explorer security updates & disabling SSL 3.0 fallback". Microsoft. Retrieved December 9, 2014.
- "February 2015 security updates for Internet Explorer". IEBlog. April 14, 2015. Retrieved April 15, 2015.
- "About Security Update 2014-005". apple.com. Retrieved June 1, 2015.
- "About the security content of iOS 8.1". apple.com. Retrieved June 1, 2015.
- Prince, Matthew (October 14, 2014). "SSLv3 Support Disabled By Default Due to POODLE Vulnerability". Cloudflare blog. Cloudflare. Retrieved October 15, 2014.
- Bergsma, Mark (October 17, 2014). "Protecting users against POODLE by removing SSL 3.0 support". Wikimedia blog. Wikimedia Foundation. Retrieved October 17, 2014.
- "NSS 3.17.1 release notes". Mozilla. October 3, 2014. Retrieved October 27, 2014.
- "NSS 3.16.2.3 release notes". Mozilla. October 27, 2014. Retrieved October 27, 2014.
- "Disable SSL 3 by default in NSS in April 2015". mozilla.dev.tech.crypto. October 27, 2014. Retrieved October 27, 2014.
- "OpenSSL Security Advisory [15 Oct 2014]". OpenSSL. October 15, 2014. Retrieved October 20, 2014.
- "LibreSSL 2.1.1 released". LibreSSL. October 16, 2014. Retrieved October 20, 2014.
- Ristic, Ivan (December 8, 2014). "Poodle Bites TLS". Retrieved December 8, 2014.
- Stosh, Brandon (December 8, 2014). "Nasty POODLE Variant Bypasses TLS Crypto Affecting Over 10 Percent of the Web". Retrieved December 8, 2014.
External links
- This POODLE Bites: Exploiting TheSSL 3.0 Fallback - The original publication of POODLE
- 1076983 – (POODLE) Padding oracle attack on SSL 3.0 Mozilla Bugzilla