What Is a CDN And Why Do You Need It?
October 14, 2014
Can Businesses Innovate When On The Cloud?
October 15, 2014
What to do if you’ve been affected by Google’s “Poodle” Bug affected SSL Vulnerability:
A serious SSLv3 security vulnerability was recently discovered that can allow third parties to decrypt information being sent between a web browser and a web server.
More information:
https://access.redhat.com/articles/1232123
What Are The Affected systems:
Systems running web servers with encryption enabled AND web browsers.
What Is The Impact:
This type of vulnerability is exploited via “Man in the Middle” attacks.
Modern encryption uses TLSv1.2 and TLSv1.1, neither of which is currently vulnerable to this type of attack. However web browsers and web servers with SSLv3 enabled are vulnerable to a downgrade attack which forces the use of the insecure SSLv3 encryption. Because of this, any communication with
SSLv3 enabled on both ends is vulnerable to this attack, whether or not TLS is enabled. RedHat’s security blog offers more in-depth information on the issue:
* POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. More details are available in the upstream OpenSSL advisory.
* POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechanism known as Transport Socket Layer (TLS).
* The following script can be run against the (Linux) server in question.
The command will return ‘SSL 3.0 enabled’ if vulnerable and ‘SSL 3.0 disabled’ if not:
—————————–
#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect “${1-`hostname`}:${2-443}” -ssl3 2> /dev/null) if echo “${ret}” | grep -q ‘Protocol.*SSLv3’; then if echo “${ret}” | grep -q ‘Cipher.*0000’; then
echo “SSL 3.0 disabled”
else
echo “SSL 3.0 enabled”
fi
else
echo “SSL disabled or other error”
fi
—————————–
What is The Resolution:
Fixing this issue varies from system to system. Disabling SSLv3 encryption in a web server’s configuration (while still allowing for TLS) should fix the issue on most servers. The following blog post shows steps for patching many vulnerable systems such as Firefox, Chrome, Apache, Nginx, Postfix, Sendmail, Dovecot, OpenVPN, and Puppet:
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle
-vulnerability-cve-2014-3566
If you have any questions and/or would like assistance in determining whether your systems are vulnerable, feel free to contact us at [email protected].
Thank you,
Colocation America Support
Toll Free: 800-296-8915
International: 213-928-6929
