(No Ratings Yet)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

December 11, 2014 Comments closed

Limited POODLE Attack Resurfaces in TLS

in ssl certificates

Back in October, we published an extensive article about an attack called POODLE that affected old versions of the SSL protocol (specifically, SSL 3.0). This attack had the potential to affect nearly 98% of the Internet, as many servers still supported this older version of the protocol.

But now it has been revealed that POODLE is back, this time with the ability to affect even the newest version of the protocol¹.

Any time we visit the topic of SSL protocol attacks, we should remember this brief history lesson about SSL naming nomenclature: The earliest versions of the protocol were named SSL 2.0 and SSL 3.0. Then, in 1999, the next version of the protocol was renamed to TLS 1.0. Since then, all new versions have been named TLS, for Transport Layer Security, rather than Secure Socket Layer. Today, the newest version is TLS 1.2.

The POODLE attack was previously thought to only work on SSL v3.0 because it took advantage of a flaw where a section of the message (specifically, the message padding) could be changed by an attacker; this was due to under-specification of the early protocol. Successors to SSL 3.0 have since corrected this. However, some implementations of these new protocols may be vulnerable. This is because while the specifications of TLS 1.1 and 1.2 require that the message padding be verified, it’s impossible to ensure all implementations follow this rule, and clients (web browsers) cannot effectively check for this².

Security researchers Brian Smith and Adam Langley have been quietly working since October³ , confirming the suspicion that the POODLE attack could be used on other versions of the SSL protocol. They found a few notable vulnerabilities on enterprise-level hardware, specifically devices made by two network equipment companies, F5 and A10.

The good news is that this new vulnerability is estimated to affect under 10% of servers.⁴ Unlike the first round of POODLE, this vulnerability is not due to a flaw in the protocol specification, but in specific implementations of it.

This attack can be executed with similar efficiency as POODLE with SSL 3.0, however with a much smaller number of potentially affected targets. Remember that both POODLE attacks require an active network attacker, the ability to inject JavaScript into a client’s browser, and only require around 4096 requests on average to succeed (this may sound like a lot, but it is quite practical to achieve).

This time around, a much smaller group of servers are affected and we believe these will be quickly patched by the server administrators who attend to them. F5 and A10 have released patches today for their devices which solve this issue. If you are affected by this please visit this page for F5 devices and this page for A10 to get the relevant patches and information.

 

---