SSL 3.0 POODLE attack information leakage Vulnerability (CVE-2014-3566)

SSL 3.0 POODLE attack information leakage Vulnerability (CVE-2014-3566)

Release date:
Updated on:

Affected Systems:
Netscape ssl 3.0
Netscape tls
Unaffected system:
Netscape tls 1.2
Netscape tls 1.1
Netscape tls 1.0
Description:
CVE (CAN) ID: CVE-2014-3566

SSL3.0 is an out-of-date and insecure protocol and has been replaced by TLS 1.0, TLS 1.1, and TLS 1.2. Due to compatibility, most TLS implementations are still compatible with SSL3.0.

For the sake of universality, most browsers currently support SSL3.0. The handshake phase of the TLS Protocol includes version negotiation steps. Generally, the latest Protocol version on the client and server will be used. During the version negotiation with the server, the system first provides the latest version of the supported Protocol. If the handshake fails, it tries to negotiate with the earlier Protocol version. Attackers who are able to launch man-in-the-middle attacks can successfully launch a Downgrade Attack by failing to connect the affected browsers to the server through negotiation with newer protocols, in this way, the client and the server use insecure SSL3.0 for communication. At this time, due to the vulnerability in the implementation of CBC block encryption used by SSL 3.0, attackers can successfully crack the encrypted information of the SSL connection, for example, obtain user cookie data. This attack is called a POODL attack (Padding Oracle On Downgraded Legacy Encryption ).

This vulnerability affects the vast majority of SSL servers and clients and has a wide impact. However, if an attacker wants to exploit this vulnerability, the attacker must be able to control the data between the client and the server (execute man-in-the-middle attacks ).

How to fix pow.sslv3 Security Vulnerabilities (CVE-2014-3566)

<* Source: Bodo M & #246; Roller
Thai Duong
Krzysztof Kotowicz

Link: https://www.openssl.org /~ Bodo/ssl-poodle.pdf
Https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
Blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html
*>

Suggestion:
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Disable the SSL 3.0 protocol.

Currently, only Internet Explorer 6.0 does not support TLS 1.0. disabling SSL 3.0 affects Internet Explorer 6.
SSL access.

Server disabling method:

Apache 2.x:
In the mod_ssl configuration file, use the following command to disable SSLv2 and SSLv3:
SSLProtocol All-SSLv2-SSLv3
Restart Apache

Nginx:
Use the following in the configuration file:
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart Nginx

IIS:
Find the following registry key:
HKey_Local_Machine \ System \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols
This registry key usually contains the following subitems:
* PCT 1.0
* The SSL 2.0
* The SSL 3.0
* TLS 1.0
Each registry entry retains the protocol-related information that applies to this entry. You can disable any of these protocols on the server. To this end,
Create a New DWORD Value in the server subitem of SSL 3.0. Set the DWORD Value to "00 00 00 ".

How to disable the browser:

IE:
"Tools"-> "Internet Options"-> "advanced", deselect the "use SSL 3.0" check box.

Chrome:

Copy a shortcut that usually opens the Chrome browser, right-click the new shortcut, and enter properties,
Enter the following command at the end of the field in the space after "target" -- ssl-version-min = tls1

FireFox:

Enter "about: config" in the address bar, and then adjust security. tls. version. min to 1.

Vendor patch:

Netscape
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Refer:

Https://www.openssl.org /~ Bodo/ssl-poodle.pdf
Http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Https://technet.microsoft.com/en-us/library/security/3009008

This article permanently updates the link address: