Lately, we have seen some really bad vulnerabilities in regards to SSL (Heartbleed) and Bash (later dubbed “Shellshock”), along with some slightly “lighter” linux/open source ones.

In September of this year, Google first discovered a fallback attack for SSL v3.0, and they wrote published a paper on it: https://www.openssl.org/~bodo/ssl-poodle.pdf.
Today, it was officially confirmed that SSL version 3.0 is no longer secure, and thus, it is no longer recommended in client software (ex: web browsers, mail clients, etc…) or server software (ex: apache, postfix, etc…).
This was dubbed the “POODLE” vulnerability, and given CVE-2014-3566

A “POODLE attack” can be used against any website or browser that still supports SSLv3.
Browsers and websites need to turn off SSLv3 as soon as possible in order to avoid compromising sensitive/private information. Even though a really small percent of servers/browsers are vulnerable (mozilla estimates 0.3% of the internet), that is quite large in the total number of users.

How can I check if my browser is Vulnerable?
The guys at dshield setup this nice browser check: https://sslv3.dshield.org:444/index.html For checking your browser, use: https://www.poodletest.com

Poodletest was first mentioned to me by Curtis Wilcox.

Chris La Nauze mentioned another website which seems great (if not even better than dshield’s):
https://www.bestvpn.com/poodle-ssl3-exploit-protection/

Until an official patch comes out (this is a design bug, not a software bug – it will most likely be just end-of-lifed), you can turn off SSLv3 support for these major products:

How can I check if my server is Vulnerable?
For checking your server, use: https://www.poodlescan.com

If you want something a bit more “trusted”, you can review the source code and download this: https://github.com/0xICF/POODLEScanner

You can install and run this yourself very easily (Ubuntu based systems):

Alternatively, you can also just download “python3-pip” and then install it via “pip3 install IPy”.

At last, you can even use some of the more commonly available tools:
One way is via nmap: http://mariuszs.github.io/blog/2014/sslv3-poodle-check.html

Essentially, you are running:

 
The other way via OpenSSL directly which is even simpler (and guaranteed to be available on any linux system):

 

Patching Firefox:
In firefox, go to “about:config“, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.

Patching in Internet Explorer (IE):
Go to: Setting -> Internet Options -> Advanced Tab -> Uncheck “SSLv3” under “Security”

Patching Apache:
Edit your ssl.conf (or equivalent virtual config) and add: SSLProtocol All -SSLv2 -SSLv3
Then restart apache: sudo service apache2 restart

Patching Nginx
Edit your config and add: ssl_protocols: TLSv1 TLSv1.1 TLSv1.2;
Then restart nginx: sudo service nginx restart

Patching Postfix
Edit your main.cf config and change: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Then restart postfix: sudo service postfix restart

Patching IIS
Open regedit and go to:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
Under Protocols you will probably have a folder called “SSL 2.0“. Please create a “SSL 3.0” folder if you don’t have one already. Under the SSL 3.0 folder, please create a DWORD value called “Enabled” with value “0“. At this point, you have to reboot the server.

Another way to solve this problem, per Google is to “use SSL implementations that take advantage of the TLS_FALLBACK_SCSV feature. This feature notifies the other side that you first tried the stronger cipher. This way, they can reject the downgrade attempt that may have been introduced by a MitM attack.”.

2 Thoughts on “OpenSSL – SSL 3.0 Poodle Vulnerability

  1. Great info, Ty

  2. Good article, at the time I read this article dshield.org’s site was unavailable, so if your readers are after another good site that checks your browser, and then offers ways to fix the problem, check out https://zmap.io/sslv3/browsers.html

Leave a Reply

Your email address will not be published. Required fields are marked *

>> NOTE: Please use <code>...</code> to post code/configs in your comment.

Post Navigation