search menu icon-carat-right cmu-wordmark

CERT Coordination Center

POODLE vulnerability in SSL 3.0

Vulnerability Note VU#577193

Original Release Date: 2014-10-17 | Last Revised: 2015-01-21

Overview

Many modern TLS clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding-oracle attack when Cypher-block chaining (CBC) mode is used. This is commonly referred to as the "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack.

Description

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2014-3566

Multiple implementations of SSL 3.0, including the implementation in OpenSSL up to version 1.0.1i, support the use of CBC mode. However, SSL 3.0 is vulnerable to a padding-oracle attack when CBC mode is used. A successful padding-oracle attack can provide an attacker with cleartext information from the encrypted communications.

Additionally, many modern TLS clients still support the ability to fall back to the SSL 3.0 protocol in order to communicate with legacy servers. A man-in-the-middle attacker may be able to force the protocol version negotiation sequence to downgrade to SSL 3.0, thereby opening up the opportunity to exploit the padding-oracle attack.

For more information, please refer to the original security advisory.

Impact

An adjacent, unauthenticated attacker may be able to derive cleartext information from communications that utilize the SSL 3.0 protocol with CBC mode.

Solution

OpenSSL has fixed the issue in OpenSSL versions 1.0.1j, 1.0.0o, and 0.9.8zc. For other implementations of the protocol, please check with the appropriate maintainer or vendor to determine if the implementation is affected by this issue. Additionally, consider the following workaround:

Use TLS_FALLBACK_SCSV

If disabling SSL 3.0 is not possible, TLS client and server implementations should make use of the TLS_FALLBACK_SCSV cipher suite value to prevent man-in-the-middle attackers from forcing unnecessary protocol downgrades.

Vendor Information

577193
 

Apple Inc. Affected

Updated:  October 17, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Aruba Networks, Inc. Affected

Notified:  October 17, 2014 Updated: October 20, 2014

Status

Affected

Vendor Statement

Aruba has published an advisory. Users should refer to the advisory for up-to-date information.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Attachmate Affected

Notified:  October 17, 2014 Updated: October 27, 2014

Status

Affected

Vendor Statement

Attachmate has released an advisory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Microsoft Corporation Affected

Notified:  October 17, 2014 Updated: January 21, 2015

Status

Affected

Vendor Statement

https://technet.microsoft.com/en-us/library/security/3009008.aspx

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mozilla Affected

Updated:  October 17, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NEC Corporation Affected

Updated:  October 28, 2014

Status

Affected

Vendor Statement

"We provide information on this issue at the following URL:

http://jpn.nec.com/security-info/av14-004.html"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Novell, Inc. Affected

Updated:  October 27, 2014

Status

Affected

Vendor Statement

Novell has released an advisory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

OpenSSL Affected

Updated:  October 17, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Affected

Updated:  October 27, 2014

Status

Affected

Vendor Statement

SUSE has released an advisory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Legion of the Bouncy Castle Not Affected

Notified:  October 17, 2014 Updated: October 20, 2014

Status

Not Affected

Vendor Statement

"Bouncy Castle Java APIs version 1.46, or later, offer the ability to access SSL v3 by overriding methods in order to allow support for it. By default SSL v3 support is turned off.

It is possible to see if a developer has created the necessary overrides by looking for overrides of the methods AbstractTlsClient.getMinimumVersion () or TlsClient.notifyServerVersion () in client code, and by looking for overrides of AbstractTlsServer.getMinimumVersion () or TlsServer.getServerVersion () in server code.

Bouncy Castle C# APIs version 1.8 (still in beta), also contains a TLS API, which follows the same profile as the Bouncy Castle Java APIs in respect to SSL v3. Support for “TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks”, currently described at

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

has been added to both the Java and C# APIs to allow developers to prevent SSL v3 as anything but a worst case. We are planning to continue tracking the fallback document as it evolves and will include the results in the next releases of the Java and C# APIs (1.52 and 1.8 respectively)

For further enquiries in relation to this please contact us at office@bouncycastle.org."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

PeerSec Networks Not Affected

Notified:  October 17, 2014 Updated: October 20, 2014

Status

Not Affected

Vendor Statement

"MatrixSSL version support is configured with compile-time define, and we have disabled SSL3.0 by default since MatrixSSL 3.3.1 on July 16, 2012.

Anyone using MatrixSSL over the past 2 years would have had to manually enable SSL 3.0. Also, we do TLS style padding for SSL3.0 since the beginning for record encoding, however we can¹t enforce it on decoding, so that was of limited use unless communicating with our own library"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apache HTTP Server Project Unknown

Notified:  October 17, 2014 Updated: October 17, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

    Apache-SSL Unknown

    Notified:  October 17, 2014 Updated: October 17, 2014

    Status

    Unknown

    Vendor Statement

    We have not received a statement from the vendor.

    Vendor References

      Botan Unknown

      Notified:  October 17, 2014 Updated: October 17, 2014

      Status

      Unknown

      Vendor Statement

      We have not received a statement from the vendor.

      Vendor References

        Certicom Unknown

        Notified:  October 17, 2014 Updated: October 17, 2014

        Status

        Unknown

        Vendor Statement

        We have not received a statement from the vendor.

        Vendor References

          Cryptlib Unknown

          Notified:  October 17, 2014 Updated: October 17, 2014

          Status

          Unknown

          Vendor Statement

          We have not received a statement from the vendor.

          Vendor References

            Crypto++ Library Unknown

            Notified:  October 17, 2014 Updated: October 17, 2014

            Status

            Unknown

            Vendor Statement

            We have not received a statement from the vendor.

            Vendor References

              EMC Corporation Unknown

              Notified:  October 17, 2014 Updated: October 17, 2014

              Status

              Unknown

              Vendor Statement

              We have not received a statement from the vendor.

              Vendor References

                F5 Networks, Inc. Unknown

                Notified:  October 17, 2014 Updated: October 17, 2014

                Status

                Unknown

                Vendor Statement

                We have not received a statement from the vendor.

                Vendor References

                  GnuTLS Unknown

                  Notified:  October 17, 2014 Updated: October 17, 2014

                  Status

                  Unknown

                  Vendor Statement

                  We have not received a statement from the vendor.

                  Vendor References

                    IAIK Java Group Unknown

                    Notified:  October 17, 2014 Updated: October 17, 2014

                    Status

                    Unknown

                    Vendor Statement

                    We have not received a statement from the vendor.

                    Vendor References

                      Mirapoint, Inc. Unknown

                      Notified:  October 17, 2014 Updated: October 17, 2014

                      Status

                      Unknown

                      Vendor Statement

                      We have not received a statement from the vendor.

                      Vendor References

                        Mozilla - Network Security Services Unknown

                        Notified:  October 17, 2014 Updated: October 17, 2014

                        Status

                        Unknown

                        Vendor Statement

                        We have not received a statement from the vendor.

                        Vendor References

                          National Center for Supercomputing Applications Unknown

                          Notified:  October 17, 2014 Updated: October 17, 2014

                          Status

                          Unknown

                          Vendor Statement

                          We have not received a statement from the vendor.

                          Vendor References

                            Netscape NSS Unknown

                            Notified:  October 17, 2014 Updated: October 17, 2014

                            Status

                            Unknown

                            Vendor Statement

                            We have not received a statement from the vendor.

                            Vendor References

                              Nettle Unknown

                              Notified:  October 17, 2014 Updated: October 17, 2014

                              Status

                              Unknown

                              Vendor Statement

                              We have not received a statement from the vendor.

                              Vendor References

                                Nokia Unknown

                                Notified:  October 17, 2014 Updated: October 17, 2014

                                Status

                                Unknown

                                Vendor Statement

                                We have not received a statement from the vendor.

                                Vendor References

                                  SafeNet Unknown

                                  Notified:  October 17, 2014 Updated: October 17, 2014

                                  Status

                                  Unknown

                                  Vendor Statement

                                  We have not received a statement from the vendor.

                                  Vendor References

                                    Spyrus Unknown

                                    Notified:  October 17, 2014 Updated: October 17, 2014

                                    Status

                                    Unknown

                                    Vendor Statement

                                    We have not received a statement from the vendor.

                                    Vendor References

                                      Stunnel Unknown

                                      Notified:  October 17, 2014 Updated: October 17, 2014

                                      Status

                                      Unknown

                                      Vendor Statement

                                      We have not received a statement from the vendor.

                                      Vendor References

                                        libgcrypt Unknown

                                        Notified:  October 17, 2014 Updated: October 17, 2014

                                        Status

                                        Unknown

                                        Vendor Statement

                                        We have not received a statement from the vendor.

                                        Vendor References

                                          mod_ssl Unknown

                                          Notified:  October 17, 2014 Updated: October 17, 2014

                                          Status

                                          Unknown

                                          Vendor Statement

                                          We have not received a statement from the vendor.

                                          Vendor References

                                            wolfSSL Unknown

                                            Notified:  October 17, 2014 Updated: October 17, 2014

                                            Status

                                            Unknown

                                            Vendor Statement

                                            We have not received a statement from the vendor.

                                            Vendor References

                                              View all 33 vendors View less vendors


                                              CVSS Metrics

                                              Group Score Vector
                                              Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
                                              Temporal 3.6 E:F/RL:OF/RC:C
                                              Environmental 3.6 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                              References

                                              Acknowledgements

                                              This document was written by Todd Lewellen.

                                              Other Information

                                              CVE IDs: CVE-2014-3566
                                              Date Public: 2014-10-14
                                              Date First Published: 2014-10-17
                                              Date Last Updated: 2015-01-21 19:34 UTC
                                              Document Revision: 29

                                              Sponsored by CISA.