Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - AdvisoriesPrint
point

CERT-In Advisory CIAD-2014-0059

SSL 3.0 Protocol Information Disclosure Vulnerability (POODLE)

Original Issue Date: October 15, 2014

Severity Rating: High

Systems Affected

  • TLS implementations having backwards ­ compatibility with SSL 3.0

Overview

The SSL protocol 3.0 has design flaw, which could be exploited by remote attackers to decrypt the contents of encrypted connections.Some TLS implementations are also vulnerable to the POODLE attack.

Description

SSL 3.0 is an obsolete and insecure protocol. For most practical purposes it has been replaced by its successors TLS 1.0, TLS 1.1 and TLS 1.2. Most of the TLS implementations remain backwards ­compatible with SSL 3.0 to interoperate with legacy systems.

The SSL 3.0 cipher suites have a weaker key derivation process, half of the master key that is established is fully dependent on the MD5 hash function, which is not resistant to collisions and is not considered secure.

 A remote attacker could exploit this issue to trigger network faults to initiate a "downgrade dance" that coerce the web browsers back to using SSL v3, even if superior encryption protocol TLS is available. From there, a man-in-the-middle attack can decrypt secure HTTP traffic.

Some TLS implementations may also be vulnerable to POODLE attack if they use SSL 3.0 type padding and does not properly check the padding bytes.

Solution

Apply appropriate patches as mentioned by various vendors  

Workaround

  • Disable SSL 3.0 support in the client.
  • Disable SSL 3.0 support in the server.
  • Disable support for CBC-based cipher suites when using SSL 3.0 (in either client or server).
  • Implement that new SSL/TLS extension to detect when some active attacker is breaking connections to force your client and server to use SSL 3.0, even though both know TLS 1.0 or better. Both client and server must implement it.

Vendor Information

VmWare
http://blogs.vmware.com/security/2014/10/cve-2014-3566-aka-poodle.html
 Nginx
http://nginx.com/blog/nginx-poodle-ssl/
 Google
http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploiting-ssl-30.html
 Microsoft
https://technet.microsoft.com/library/security/3009008
 Mozilla
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
 RedHat
https://access.redhat.com/articles/1232123
 Oracle
https://blogs.oracle.com/security/entry/information_about_ssl_poodle_vulnerability
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6
 Cisco
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
 Juniper
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656
 Citrix
http://support.citrix.com/article/ctx200238
 Apple
https://support.apple.com/kb/HT6531
https://support.apple.com/en-us/HT204244
 F5
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html
 A10 Networks
http://www.a10networks.com/support/advisories/A10-RapidResponse_CVE-2014-8730.pdf
 Checkpoint
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102989

References

Google
http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://chromium.googlesource.com/chromium/src/+/32352ad08ee673a4d43e8593ce988b224f6482d3

Microsoft
https://technet.microsoft.com/library/security/3009008

Mozilla
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

OpenSSL
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://www.openssl.org/news/secadv_20141015.txt

ISC SANS
https://isc.sans.edu/diary/POODLE%3A+Turning+off+SSLv3+for+various+servers+and+client.++/18837

SecurityTracker
http://www.securitytracker.com/id/1031338

Xforce
http://xforce.iss.net/xforce/xfdb/99216

CVE Name
CVE-2014-3566
CVE-2014-8730
CVE-2014-3513
CVE-2014-3567
CVE-2014-3568

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 01, 2025