Operating System:

[WIN][UNIX/Linux][Appliance][Mobile]

Published:

15 October 2014

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ASB-2014.0122 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0122
       Vulnerability in SSLv3 could be exploited through a protocol
                downgrade attack to reveal clear text data
                              15 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Secure Sockets Layer version 3 (SSLv3)
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Mobile Device
                      Network Appliance
Impact/Access:        Access Confidential Data -- Remote with User Interaction
                      Reduced Security         -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2014-3566  
Member content until: Friday, November 14 2014

OVERVIEW

        The OpenSSL Project has issued advisories warning 
        against vulnerabilities in SSLv3 which could be exploited through a
        protocol downgrade attack to obtain clear text data. This 
        vulnerability has been dubbed the "POODLE" issue. [1]


IMPACT

        The vulnerability has been assigned CVE-2014-3566, but limited 
        details have been released regarding attack vectors and impacts.
        
        The vulnerability is explained as follows:
        
        "SSL 3.0 [RFC6101] is an obsolete and insecure protocol. While for 
        most practical purposes it has been replaced by its successors TLS 
        1.0 [RFC2246], TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], many TLS 
        implementations remain backwards­ compatible with SSL 3.0 to 
        interoperate with legacy systems in the interest of a smooth user 
        experience. 
        
        The protocol handshake provides for authenticated 
        version negotiation, so normally the latest protocol version common
        to the client and the server will be used. However, even if a client
        and server both support a version of TLS, the security level offered
        by SSL 3.0 is still relevant since many clients implement a protocol
        downgrade dance to work around server­side interoperability bugs. In
        this Security Advisory, we discuss how attackers can exploit the 
        downgrade dance and break the cryptographic security of SSL 3.0. [1]


MITIGATION

        It is recommended that, where possible, implementations of SSLv3 be
        disabled and replaced with TLS v1.2. All TLS Client and Server 
        implementations are to use the TLS_FALLBACK_SCSV mechanism which 
        prevents protocol downgrade attack. [1]


REFERENCES

        [1] This POODLE Bites: Exploiting The SSL 3.0 Fallback
            https://www.openssl.org/~bodo/ssl-poodle.pdf

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVD4V+hLndAQH1ShLAQLBRA/5AcaGF1+1fGR3x5d5ow+S4i0YcBpFoRTA
F+nB3ZWEgMVEsP7HwO7PzdNkIDeRnj1PG4cMbIyBlmv69VHmgWXr1JvUXKAuV5+X
/lbD+LXkjaT0HSNA9hieA1fZQCKoBbhCzXrppkVLoRAcHx4EjRQ89hFNU7CqyBjM
pwyh4U2wNq1GOWQGvej0TXU8b0cDmmwKdDLSFEHQ6FJQKMO4UcO7xuwGll2gI0aW
ORLVnm7lAExB5EG4BK/DhxMOd7aKQWHGIcsLI0oE1yKXZ2s0lKGHtp/A6zWMRfjM
ps395CGtY/JXqYxSdKzKOxGsNcqsBvYnrIooWpu+yHDCtRemmvyJeoGquWwVYwsg
B6EpLC/L2+Y0vsrk5szrosQ+NBKF4srWfr4QIk98H7wQ9qnPWtG87kCdLi5xBkEI
w6oBaH+1SYkUvpLe7UKFGGpEI89nSwjLUH/TrxMpPEdn3Dcb2zCqVjcG2n7CPnkb
VFGSBNxB10KfawvyEWkyhCVhOu9pytgq8p18cx1YRenKuc+eNNG+EA0U5k1sQmKq
WekG1PrVnu24Khoj2VUubvz7KEcj+O9C4hxIkP5ipz3dntxLuSbbxXtm7BaQTZuc
TSZ5mZlVnhk4kjczLecInMPnLvW1wFs8zvPNoPvQewuVEady2tIvvglgAwnqVWLm
mGD28I7Zhw4=
=+jPq
-----END PGP SIGNATURE-----