There’s a new SSL/TLS problem being announced today and it’s likely to affect some of the most popular web sites in the world, owing largely to the popularity of F5 load balancers and the fact that these devices are impacted. There are other devices known to be affected, and it’s possible that the same flaw is present in some SSL/TLS stacks. We will learn more in the following days.
If you want to stop reading here, take these steps: 1) check your web site using the SSL Labs test; 2) if vulnerable, apply the patch provided by your vendor. As problems go, this one should be easy to fix.
When POODLE was disclosed, we added detection capabilities to Qualys VM immediately. We have now integrated a POODLE filter into our Certificate Dashboard (similar to the HeartBleed filter) that will help organizations to look at their exposure through POODLE in a natural, real-time way. The following selections in the Filters menu quickly identify which hosts are affected by POODLE:
- Poodle – All: lists all certificates that have been used on systems that were (or still are) vulnerable to POODLE.
- Poodle – Active: lists all certificates currently in use on systems that are still vulnerable to POODLE.
Take a look at the Certificates tab under Assets in Qualys VM.
Original: Late on Patch Tuesday three researchers from Google announced the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability CVE-2014-3566 in SSLv3. It is an attack against the protocol itself, meaning that all implementations of SSL are vulnerable, differently from HeartBleed which was a flaw in OpenSSL. Similarly to HeartBleed it is an information disclosure, as a successful attack would be able to steal a session cookie from you, but again differently from HeartBleed it is much harder to exploit in that it requires a MITM (Man in The Middle) position and code on the client to open numerous SSL attempts against a vulnerable server. A successful attack will reveal information about the particular session from that endpoint, again different from Heartbleed where one could gain information about other users.
The POODLE Attack (CVE-2014-3566)
Update (8 Dec 2014): Some TLS implementations are also vulnerable to the POODLE attack. More information in this follow-up blog post.