The POODLE Vulnerability
Who is infected?
“All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 (also known as SSLv3) with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. Some Transport Layer Security (TLS) implementations are also vulnerable to the POODLE attack.” –https://www.us–cert.gov/ncas/alerts/TA14–290A
What is the POODLE Vulnerability?
Padding Oracle On Downgraded Legacy Encryption (POODLE) is a vulnerability in SSL 3.0 due to the block encryption method used in the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS. This allows an attacker to force the use of SSL 3.0 and then use this vulnerability to decrypt content within the SSL session. To execute the POODLE attack two other conditions must be met. The most common scenario of this attack is in cases of man in the middle situations however, there are other possibilities.
What is the Risk?
An example of this vulnerability being exploited could be on a web-based scenario. An attacker can gain access to sensitive data passed even though it is being sent within an encrypted web session. This includes data such as passwords, cookies, and other authentication tokens which can then be used to gain access to a website for this case. If the attacker can impersonate an administrator they can then potentially do a lot of damage as well as ex-filtrate private information.
Unfortunately, SSL 3.0 was never patched to rid itself of this vulnerability. There are a few ways to rid your system of this vulnerability but the simplest and recommended method is to simply disable SSL 3.0. This will however prevent older systems strictly relying on SSL 3.0 to no longer be able to connect, if that is a possible issue than you should certainly explore other fixes such as preventing forced protocol downgrade attacks as this would also prevent the POODLE attack from occurring.
There are powershell scripts available online for download. Feel free to use the one provided here: https://archive.codeplex.com/?p=poodlefix
Steps to Disable SSLv3
For Windows Server 2012
- Login to Windows Server and open the Registry Editor running it as administrator:
On the Start screen type regedit.exe.
Right-click on regedit.exe and click Run as administrator.
- In the Registry Editor window, go to:
- In the navigation tree, right-click on Protocols, and in the pop-up menu, click
New > Key and name the key as SSL 3.0
- In the navigation tree, right-click on the new SSL 3.0 key that we have created in the above step, and in the pop-up menu, click New > Key and name the key as Client
- In the navigation tree, right-click again on the SSL 3.0 and in the pop-up menu, click New > Key and name the key as Server
- In the navigation tree, under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value and name the value DisabledByDefault
- In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value. In the Edit DWORD (32bit) Value window, in the Value Data box change the value to 1 and then, click OK.
- In the navigation tree, under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value and name the value
- window, in the Value Data box leave the value at 0 and then, click OK. In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD In the Edit DWORD (32-bit) Value
- Restart the Windows Server to apply these changes permanently.