search menu icon-carat-right cmu-wordmark

CERT Coordination Center


POODLE vulnerability in SSL 3.0

Vulnerability Note VU#577193

Original Release Date: 2014-10-17 | Last Revised: 2015-01-21

Overview

Many modern TLS clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding-oracle attack when Cypher-block chaining (CBC) mode is used. This is commonly referred to as the "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack.

Description

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2014-3566

Multiple implementations of SSL 3.0, including the implementation in OpenSSL up to version 1.0.1i, support the use of CBC mode. However, SSL 3.0 is vulnerable to a padding-oracle attack when CBC mode is used. A successful padding-oracle attack can provide an attacker with cleartext information from the encrypted communications.

Additionally, many modern TLS clients still support the ability to fall back to the SSL 3.0 protocol in order to communicate with legacy servers. A man-in-the-middle attacker may be able to force the protocol version negotiation sequence to downgrade to SSL 3.0, thereby opening up the opportunity to exploit the padding-oracle attack.

For more information, please refer to the original security advisory.

Impact

An adjacent, unauthenticated attacker may be able to derive cleartext information from communications that utilize the SSL 3.0 protocol with CBC mode.

Solution

OpenSSL has fixed the issue in OpenSSL versions 1.0.1j, 1.0.0o, and 0.9.8zc. For other implementations of the protocol, please check with the appropriate maintainer or vendor to determine if the implementation is affected by this issue. Additionally, consider the following workaround:

Use TLS_FALLBACK_SCSV

If disabling SSL 3.0 is not possible, TLS client and server implementations should make use of the TLS_FALLBACK_SCSV cipher suite value to prevent man-in-the-middle attackers from forcing unnecessary protocol downgrades.

Vendor Information

577193
Expand all

Apple Inc.

Updated:  October 17, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.apple.com/kb/HT6531

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Aruba Networks, Inc.

Notified:  October 17, 2014 Updated:  October 20, 2014

Status

  Affected

Vendor Statement

Aruba has published an advisory. Users should refer to the advisory for up-to-date information.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.arubanetworks.com/support/alerts/aid-10142014.txt

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Attachmate

Notified:  October 17, 2014 Updated:  October 27, 2014

Status

  Affected

Vendor Statement

Attachmate has released an advisory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.attachmate.com/techdocs/2750.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  October 17, 2014 Updated:  January 21, 2015

Status

  Affected

Vendor Statement

https://technet.microsoft.com/en-us/library/security/3009008.aspx

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mozilla

Updated:  October 17, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Updated:  October 28, 2014

Status

  Affected

Vendor Statement

"We provide information on this issue at the following URL:

http://jpn.nec.com/security-info/av14-004.html"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://jpn.nec.com/security-info/av14-004.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell, Inc.

Updated:  October 27, 2014

Status

  Affected

Vendor Statement

Novell has released an advisory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.novell.com/support/kb/doc.php?id=7015777

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSL

Updated:  October 17, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Updated:  October 27, 2014

Status

  Affected

Vendor Statement

SUSE has released an advisory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.suse.com/support/kb/doc.php?id=7015773

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Legion of the Bouncy Castle

Notified:  October 17, 2014 Updated:  October 20, 2014

Status

  Not Affected

Vendor Statement

"Bouncy Castle Java APIs version 1.46, or later, offer the ability to access SSL v3 by overriding methods in order to allow support for it. By default SSL v3 support is turned off.

It is possible to see if a developer has created the necessary overrides by looking for overrides of the methods AbstractTlsClient.getMinimumVersion () or TlsClient.notifyServerVersion () in client code, and by looking for overrides of AbstractTlsServer.getMinimumVersion () or TlsServer.getServerVersion () in server code.

Bouncy Castle C# APIs version 1.8 (still in beta), also contains a TLS API, which follows the same profile as the Bouncy Castle Java APIs in respect to SSL v3. Support for “TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks”, currently described at

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

has been added to both the Java and C# APIs to allow developers to prevent SSL v3 as anything but a worst case. We are planning to continue tracking the fallback document as it evolves and will include the results in the next releases of the Java and C# APIs (1.52 and 1.8 respectively)

For further enquiries in relation to this please contact us at office@bouncycastle.org."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.bouncycastle.org/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PeerSec Networks

Notified:  October 17, 2014 Updated:  October 20, 2014

Status

  Not Affected

Vendor Statement

"MatrixSSL version support is configured with compile-time define, and we have disabled SSL3.0 by default since MatrixSSL 3.3.1 on July 16, 2012.

Anyone using MatrixSSL over the past 2 years would have had to manually enable SSL 3.0. Also, we do TLS style padding for SSL3.0 since the beginning for record encoding, however we can¹t enforce it on decoding, so that was of limited use unless communicating with our own library"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache HTTP Server Project

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache-SSL

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Botan

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Certicom

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cryptlib

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Crypto++ Library

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks, Inc.

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GnuTLS

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IAIK Java Group

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mirapoint, Inc.

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mozilla - Network Security Services

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

National Center for Supercomputing Applications

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netscape NSS

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nettle

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SafeNet

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Spyrus

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Stunnel

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

libgcrypt

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

mod_ssl

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

wolfSSL

Notified:  October 17, 2014 Updated:  October 17, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal 3.6 E:F/RL:OF/RC:C
Environmental 3.6 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2014-3566
Date Public: 2014-10-14
Date First Published: 2014-10-17
Date Last Updated: 2015-01-21 19:34 UTC
Document Revision: 28

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.