A fresh attack vector against SSL has been detailed, but analysts are mixed on the severity of the POODLE (Padding Oracle On Downgraded Legacy Encryption) flaw.
After it was rumoured to be disclosed yesterday by the Register, it was later detailed as revealing a vulnerability in the way that SSL v3 uses ciphers and allows an attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie data, and doesn’t require such extensive control of the format of the plaintext. Therefore it is more practical.
According to Bodo Möller from the Google Security Team, who discovered the flaw with other members of the team, support for SSL 3.0 remains widespread among nearly all browsers, even though it is nearly 15 years old an in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0.
“Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,” he said.
“Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”
Möller confirmed that Google Chrome will begin testing changes today that disable the fallback to SSL 3.0, although he warned that this change will break some sites and those sites will need to be updated quickly. “In the coming months, we hope to remove support for SSL 3.0 completely from our client products,” he said.
According to Errata Security’s Robert Graham, Heartbleed and Shellshock allowed hacks against servers, while POODLE allows hacking of clients, so “if Hearbleed/Shellshock merited a 10, then this attack is only around a 5”.
He said that disabling SSL v3 in browsers is easy, but not so in servers. He said: “It requires MitM (man-in-the-middle) to exploit. In other words, the hacker needs to be able to to tap into the wires between you and the website you are browsing, which is difficult to do. This means you are probably safe from hackers at home, because hackers can’t tap backbone links.
“But, since the NSA can tap into such links, it’s probably easy for them. However, when using the local Starbucks or other unencrypted WiFi, you are in grave danger from this hack from hackers sitti
ng the table next to you.”
A Microsoft advisory, it said that it is aware of the new method to exploit a vulnerability in SSL 3.0, and it is not aware of attacks that try to use the reported vulnerability at this time but “all supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability”.
You can test if you are vulnerable at this website.
Ollie Whitehouse, technical director at NCC Group, said: “The recent Poodle vulnerability is arguably not best in show, as it is found in a older version of the security protocol which browsers and servers will not use by default. However, when combined with an active man-in-the-middle downgrade attack this vulnerability could be exploited with relative ease.
“We expect tooling to exploit poodle to be released shortly. Exploitation will be most likely in a malicious Wi-Fi hotspot scenario, or when travelling to a country where there is a risk of active state-driven attacks. Credit should be paid to the Google researchers who are consistently performing critical security research to help better secure their customers.”
