Qualys Blog

www.qualys.com
wkandek

SSLv3 and POODLE attacks – Update

Update:

When POODLE was disclosed, we added detection capabilities to Qualys VM immediately. We have now integrated a POODLE filter into our Certificate Dashboard (similar to the HeartBleed filter) that will help organizations to look at their exposure through POODLE in a natural, real-time way. The following selections in the Filters menu quickly identify which hosts are affected by POODLE:

  • Poodle – All: lists all certificates that have been used on systems that were (or still are) vulnerable to POODLE.
  • Poodle – Active: lists all certificates currently in use on systems that are still vulnerable to POODLE.

Take a look at the Certificates tab under Assets in Qualys VM.

Original: Late on Patch Tuesday three researchers from Google announced the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability CVE-2014-3566 in SSLv3. It is an attack against the protocol itself, meaning that all implementations of SSL are vulnerable, differently from HeartBleed which was a flaw in OpenSSL. Similarly to HeartBleed it is an information disclosure, as a successful attack would be able to steal a session cookie from you, but again differently from HeartBleed it is much harder to exploit in that it requires a MITM (Man in The Middle) position and code on the client to open numerous SSL attempts against a vulnerable server. A successful attack will reveal information about the particular session from that endpoint, again different from Heartbleed where one could gain information about other users.

The easiest way to deal with the vulnerability is to disable SSLv3, both at the server and client, i.e. your browsers. Take a look a Ivan Ristic’s post on the technical background, then head over to either SSL Labs or Qualys VM to check your system.

SSL Labs

SSL Labs has a detection for SSLV3 and the specific configurations that are vulnerable. At the moment a vulnerable configuration caps your site’s grade to a C.

Qualys VM

Qualys has also released VM QIDs to detect the server side and client side vulnerability.

For the server side:

  • QID 38603: SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE). This check does not require authentication.

For the client side, to check your browsers:

  • 122757 Apple Safari SSL 3.0 Information Disclosure Vulnerability (POODLE)
  • 122751 Mozilla Firefox SSL 3.0 Information Disclosure Vulnerability (POODLE)
  • 90985 Internet Explorer SSL 3.0 Information Disclosure Vulnerability (POODLE)
  • 122758 Google Chrome SSL 3.0 Information Disclosure Vulnerability (POODLE)

To create a custom option profile to scan only for these QIDs please refer to the online help in the section 'Configure Your Scan Option Profile'.

Leave a Reply