The POODLE weakness in the SSL protocol (CVE-2014-3566) | SUSE Communities

The POODLE weakness in the SSL protocol (CVE-2014-3566)

Share
Share

Your immediate action is required

In short: The POODLE attack to the SSL 3.0 protocol, published last night (https://www.openssl.org/~bodo/ssl-poodle.pdf) requires server and desktop administrators and desktop users to carefully review their security protocol settings in packages such as HTTP Servers (such as Apache, Tomcat), SMTP Servers (such as Postfix), IMAP Servers, … as well as Webbrowsers (Firefox, …) and E-Mail Clients (Evolution, Thunderbird, …). More generally: everything which uses the OpenSSL library, needs a review.

Recommended action: Check for and if needed, change the settings to work with TLS 1.0 as a minimum requirement.

Fortunately, you do not have to install or update any package to mitigate the situation. In the future you may see updates to some packages, to help mitigating this on a lower level than the configuration alone.

Unfortunately, changing the settings on servers and clients can have significant side effects, if some part of your stack really requires the SSL 3.0 protocol. Carefully check your needs and those of your peers!

Find more details here: SUSE TID#7015773

Background

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. An attacker who acts as man-in-the-middle can force to downgrade the SSL/TLS protocol to version 3.0 if the attacked application supports this old SSL version. This legacy protocol is not secure. Depending on the applications, it may be possible for an adversary to mount attacks that can lead to disclosure of secret data such as passwords or HTTP cookies.

This attack is not limited to web-browsers, other services (like VPNs, mail clients, etc) use SSL to secure their traffic as well. Please evaluate your applications and configurations — on all operating systems.

Future

The current focus on “internet security”, as it is supported by the Linux Foundation’s Core Infrastructure Initiative for example, helps all of us to get to more security step by step. This focus also means though that probably more issues will be found going forward. This is not a sign of weakness, but a sign of strength and increasing stability and focus: finding, reporting and fixing issues is better than keep them dormant and dangling over our heads! That said: Don’t take reports on security as a threat first and foremost, but as a chance and a sign of progress.

Kind regards from the LinuxCon Europe in Düsseldorf – MgE

Share

Comments

  • Avatar photo AndreasMeyer says:

    The POODLE weakness is not the only weakness of SLED11 clients. A closer look to SSL/TLS- CLIENT_HELLOS:

    -> no encryption: TLS_RSA_WITH_NULL (Evolution -> POP3S)

    – very weak encryption: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (NetworkManager and WPA2 Enterprise -> EAP_TLS)

    There is no way to disable weak ciphers like RC4 and 3DES in curl/libcurl (-> Software Updates/Supportconfig/suseRegister) to reach compliance with FIPS 140-2 or BSI TR-02102-2.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    Avatar photo
    15,599 views