CERT/CC Vulnerability Note VU#577193

Overview

Many modern TLS clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding-oracle attack when Cypher-block chaining (CBC) mode is used. This is commonly referred to as the "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack.

Description

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2014-3566

Multiple implementations of SSL 3.0, including the implementation in OpenSSL up to version 1.0.1i, support the use of CBC mode. However, SSL 3.0 is vulnerable to a padding-oracle attack when CBC mode is used. A successful padding-oracle attack can provide an attacker with cleartext information from the encrypted communications.

Additionally, many modern TLS clients still support the ability to fall back to the SSL 3.0 protocol in order to communicate with legacy servers. A man-in-the-middle attacker may be able to force the protocol version negotiation sequence to downgrade to SSL 3.0, thereby opening up the opportunity to exploit the padding-oracle attack.

For more information, please refer to the original security advisory .

Impact

An adjacent, unauthenticated attacker may be able to derive cleartext information from communications that utilize the SSL 3.0 protocol with CBC mode.

Solution

OpenSSL has fixed the issue in OpenSSL versions 1.0.1j, 1.0.0o, and 0.9.8zc. For other implementations of the protocol, please check with the appropriate maintainer or vendor to determine if the implementation is affected by this issue. Additionally, consider the following workaround:

Use TLS_FALLBACK_SCSV

If disabling SSL 3.0 is not possible, TLS client and server implementations should make use of the TLS_FALLBACK_SCSV cipher suite value to prevent man-in-the-middle attackers from forcing unnecessary protocol downgrades.

Vendor Information

577193

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Apple Inc. Affected

Aruba Networks, Inc. Affected

Attachmate Affected

Microsoft Corporation Affected

Mozilla Affected

NEC Corporation Affected

Novell, Inc. Affected

OpenSSL Affected

SUSE Linux Affected

Legion of the Bouncy Castle Not Affected

PeerSec Networks Not Affected

Apache HTTP Server Project Unknown

Apache-SSL Unknown

Botan Unknown

Certicom Unknown

Cryptlib Unknown

Crypto++ Library Unknown

EMC Corporation Unknown

F5 Networks, Inc. Unknown

GnuTLS Unknown

IAIK Java Group Unknown

Mirapoint, Inc. Unknown

Mozilla - Network Security Services Unknown

National Center for Supercomputing Applications Unknown

Netscape NSS Unknown

Nettle Unknown

Nokia Unknown

SafeNet Unknown

Spyrus Unknown

Stunnel Unknown

libgcrypt Unknown

mod_ssl Unknown

wolfSSL Unknown

View all 33 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	4.3	AV:N/AC:M/Au:N/C:P/I:N/A:N
Temporal	3.6	E:F/RL:OF/RC:C
Environmental	3.6	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Todd Lewellen.

Other Information

CVE IDs:	CVE-2014-3566
Date Public:	2014-10-14
Date First Published:	2014-10-17
Date Last Updated:	2015-01-21 19:34 UTC
Document Revision:	29

Software Engineering Institute

CERT Coordination Center

POODLE vulnerability in SSL 3.0

Vulnerability Note VU#577193