POODLE

From Infogalactic: the planetary knowledge core
Jump to: navigation, search

<templatestyles src="Module:Hatnote/styles.css"></templatestyles>

This article is about the security vulnerability. For the dog, see poodle.

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.[1][2][3] If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" [1]).[4] Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks.[5] On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.[6]

The CVE-ID associated with the original POODLE attack is CVE-2014-3566. F5 Networks filed for CVE-2014-8730 as well, see POODLE attack against TLS section below.

Exploitation of graceful degradation

POODLE exemplifies a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability. When designing systems in domains with high levels of fragmentation, then, extra care is appropriate. In such domains graceful security degradation may become common.[7]

Prevention

To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above. Thus, the authors of the paper on POODLE attacks also encourage browser and server implementation of TLS_FALLBACK_SCSV,[8] which will make downgrade attacks impossible.[1][9]

Another mitigation is to implement "anti-POODLE record splitting". It splits the records into several parts and ensures none of them can be attacked. However the problem of the splitting is that, though valid according to the specification, it may also cause compatibility issues due to problems in server-side implementations.[10] Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.[11]

Google's Chrome browser and their servers already support TLS_FALLBACK_SCSV. Google stated in October, 2014 it is planning to remove SSL 3.0 support from their products completely within a few months.[9] Fallback to SSL 3.0 has been disabled in Chrome 39, released in November 2014.[12] SSL 3.0 has been disabled by default in Chrome 40, released in January 2015.[13]

Mozilla has disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released in December 2014, and has added support of TLS_FALLBACK_SCSV in Firefox 35.[14]

Microsoft has published the security advisory to explain how to disable SSL 3.0 in Internet Explorer and Windows OS,[15] and on October 29, 2014, Microsoft released a "Fix it" which disables SSL 3.0 in Internet Explorer on Windows Vista / Server 2003 and above and announced the plan to disable SSL 3.0 by default in their products and services within a few months.[16] Microsoft disabled fallback to SSL 3.0 in Internet Explorer 11 for Protect Mode sites on February 10, 2015.[17] Microsoft disabled SSL 3.0 by default in IE 11 on April 14, 2015.[18]

Apple's Safari (on OS X 10.8, iOS 8.1 and later) has been mitigated against POODLE by removing support for all CBC protocols in SSL 3.0,[19][20] however, this leaves only RC4 which is also completely broken by the RC4 attacks in SSL 3.0.

To prevent the POODLE attack, some web services have dropped support of SSL 3.0. Examples include CloudFlare[21] and Wikimedia.[22]

NSS version 3.17.1, released on October 3, 2014, and 3.16.2.3, released on October 27, 2014, introduced support for TLS_FALLBACK_SCSV,[23][24] and NSS will disable SSL 3.0 by default in April 2015.[25] OpenSSL versions 1.0.1j, 1.0.0o and 0.9.8zc, released on October 15, 2014, introduced support for TLS_FALLBACK_SCSV.[26] LibreSSL version 2.1.1, released on October 16, 2014, disabled SSL 3.0 by default.[27]

POODLE attack against TLS

A new variant of the original POODLE attack was announced on December 8, 2014. This attack exploits implementation flaws of CBC encryption mode in the TLS 1.0 - 1.2 protocols. Even though TLS specifications require servers to check the padding, some implementations fail to validate it properly, which makes some servers vulnerable to POODLE even if they disable SSL 3.0.[6] SSL Pulse showed "about 10% of the servers are vulnerable to the POODLE attack against TLS" before this vulnerability is announced.[28] The CVE-ID for F5 Networks' implementation bug is CVE-2014-8730. The entry in NIST's NVD states that this CVE-ID is to be used only for F5 Networks' implementation of TLS, and that other vendors whose products have the same failure to validate the padding mistake in their implementations like A10 Networks and Cisco Systems need to issue their own CVE-IDs for their implementation errors because this is not a flaw in the protocol itself and is a flaw in the protocol's implementation.

The POODLE attack against TLS was found to be easier to initiate than the initial POODLE attack against SSL. There is no need to downgrade clients to SSL 3.0, meaning fewer steps are needed to execute a successful attack. [29]

See also

References

  1. 1.0 1.1 1.2 Lua error in package.lua at line 80: module 'strict' not found.
  2. Lua error in package.lua at line 80: module 'strict' not found.
  3. Lua error in package.lua at line 80: module 'strict' not found.
  4. Lua error in package.lua at line 80: module 'strict' not found.
  5. Lua error in package.lua at line 80: module 'strict' not found.
  6. 6.0 6.1 Lua error in package.lua at line 80: module 'strict' not found.
  7. Lua error in package.lua at line 80: module 'strict' not found.
  8. Lua error in package.lua at line 80: module 'strict' not found.
  9. 9.0 9.1 Lua error in package.lua at line 80: module 'strict' not found.
  10. Lua error in package.lua at line 80: module 'strict' not found.
  11. Lua error in package.lua at line 80: module 'strict' not found.
  12. Lua error in package.lua at line 80: module 'strict' not found.
  13. Lua error in package.lua at line 80: module 'strict' not found.
  14. Lua error in package.lua at line 80: module 'strict' not found.
  15. Lua error in package.lua at line 80: module 'strict' not found.
  16. Lua error in package.lua at line 80: module 'strict' not found.
  17. Lua error in package.lua at line 80: module 'strict' not found.
  18. Lua error in package.lua at line 80: module 'strict' not found.
  19. Lua error in package.lua at line 80: module 'strict' not found.
  20. Lua error in package.lua at line 80: module 'strict' not found.
  21. Lua error in package.lua at line 80: module 'strict' not found.
  22. Lua error in package.lua at line 80: module 'strict' not found.
  23. Lua error in package.lua at line 80: module 'strict' not found.
  24. Lua error in package.lua at line 80: module 'strict' not found.
  25. Lua error in package.lua at line 80: module 'strict' not found.
  26. Lua error in package.lua at line 80: module 'strict' not found.
  27. Lua error in package.lua at line 80: module 'strict' not found.
  28. Lua error in package.lua at line 80: module 'strict' not found.
  29. Lua error in package.lua at line 80: module 'strict' not found.

External links

ja:POODLE

Retrieved from "https://infogalactic.com/w/index.php?title=POODLE&oldid=719199984"