{"id":9655,"date":"2019-02-11T22:54:39","date_gmt":"2019-02-12T03:54:39","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=9655"},"modified":"2021-03-11T14:55:43","modified_gmt":"2021-03-11T19:55:43","slug":"zombie-poodle-and-goldendoodle-two-new-exploits-found-for-tls-1-2","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/zombie-poodle-and-goldendoodle-two-new-exploits-found-for-tls-1-2\/","title":{"rendered":"Zombie POODLE and GOLDENDOODLE \u2013 Two new exploits found for TLS 1.2"},"content":{"rendered":"\n

TLS 1.2 implementations that still support Cipher Block-Chaining are vulnerable.<\/h2>\n\n\n\n

Before we get started discussing a couple of new exploits that can be found with some TLS 1.2 implementations<\/a>, let\u2019s begin by discussing the naming conventions that are used in the cybersecurity industry. POODLE, which is an acronym for Padding Oracle On Downgraded Legacy Encryption, is a completely functional name, but still a terrible one. <\/p>\n\n\n\n

While I\u2019m typically a proponent of pragmatism, when you\u2019re naming a vulnerability that provides an attacker the means to decrypt and exfiltrate data from a secure connection, you want a name that strikes a harsher chord than the word for a froofy French hunting dog. <\/p>\n\n\n\n

Don\u2019t get me wrong, my folks had standard Poodles throughout\nmy childhood \u2013 they\u2019re great dogs \u2013 but their mention strikes terror into the\nhearts of exactly no one, save maybe the lizards on my parents\u2019 patio.<\/p>\n\n\n\n

So, with that in mind let\u2019s discuss a couple of variants of\nPOODLE that can victimize certain TLS 1.2 implementations that still support\nCipher Block-Chaining: Zombie POODLE and GOLDENDOODLE.<\/p>\n\n\n\n

Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n\n

Remembering POODLE<\/h2>\n\n\n\n
\"GOLDENDOODLE<\/figure><\/div>\n\n\n\n

POODLE, which started as an SSL 3.0 exploit, was a threat to the newer TLS protocols if they maintained backwards compatibility with 3.0. Every few months or so we\u2019ll run an article showing the troubling number of websites that still support SSL 3.0. As of last count it was 6.8% of the Alexa Top 100,000<\/a>. This doesn\u2019t necessarily mean that those websites don\u2019t support newer versions of the TLS protocol, it just means that they maintain legacy support for 3.0, which can be weaponized by attacks like POODLE. <\/p>\n\n\n\n

POODLE worked by attacking the padding used with block ciphers. When encryption is done with a block cipher, the length of the data being input needs to be an exact multiple of the block’s length in bytes. For instance, with triple DES, the block length is 8 bytes (64 bits), for AES it’s 16 bytes (128 bits), so before encryption can be performed using either of those ciphers you\u2019d need to pad the input to be a multiple of the block length. <\/p>\n\n\n\n

We really don\u2019t need to get more specific than that, and other forms of encryption don\u2019t require padding, but POODLE worked by discerning the padding used to decrypt the message being sent. Now, this exploit relies on a few things to succeed. For starters, you need to be actively executing a Man-in-the-Middle<\/a> to leverage it. Then you need to force connections to fail in order to force the server to revert back to SSL 3.0. The SSL\/TLS protocols were designed, at least early on, to have this fallback feature for the sake of interoperability. POODLE is why we can\u2019t have nice things.<\/p>\n\n\n\n

Another variant of the exploit, published later in 2014 (after the SSL 3.0 version), demonstrates the attack working successfully against TLS. It exploits implementation flaws in TLS 1.0-TLS 1.2, specifically with their Cipher-Block Chaining encryption modes. It\u2019s this TLS-based variant that forms the foundation for today\u2019s new exploits, Zombie POODLE and GOLDENDOODLE.<\/p>\n\n\n\n

Zombie POODLE and GOLDENDOODLE<\/h2>\n\n\n\n

Five years after news of POODLE broke and the exploit was patched and somewhat forgotten, it still maintains some viability thanks to products that failed to confront the first POODLE issue. <\/p>\n\n\n\n

Craig Young, a researcher for Tripwire, was able to revive the exploit with a slight tweak in a Citrix load balancer. This was the so-called Zombie POODLE exploit. GOLDENDOODLE is a sup-ed variant of POODLE with a much faster, more powerful crypto-hacking mechanism. <\/p>\n\n\n\n

\"Nearly
Numbers from the Alexa Top 100,000, accurate as of 12\/18.<\/figcaption><\/figure>\n\n\n\n

All in all, roughly 2,000 of the Alexa top million websites are vulnerable to Zombie POODLE and around 1,000 are vulnerable to GOLDENDOODLE. More troublingly, about 500 are still vulnerable to POODLE itself.<\/p>\n\n\n\n

How to avoid Zombie POODLE and GOLDENDOODLE<\/h2>\n\n\n\n

The biggest problem with both the original SSL protocols and the newer TLS protocols is that, in the name of interoperability, there hasn\u2019t been adequate deprecation of older crytopgraphic methods and ciphers that have known vulnerabilities. Instead, TLS 1.2 is full of workarounds and tweaks to try to ensure older, legacy devices maintain access to websites despite the security risks that may pose. <\/p>\n\n\n\n

\n