'POODLE' Returns to Bite BusinessesVendors Battle TLS Flaw With Flurry of Patches
Security experts are sounding warnings that a type of cryptographic flaw known as POODLE, first publicly revealed Oct. 14 in Secure Sockets Layer, has now also been found in Transport Layer Security. Vendors have begun describing TLS workarounds and issuing patches.
The risk from the POODLE - which stands for Padding Oracle On Downgraded Legacy Encryption - flaw is that attackers can exploit the vulnerability to undercut TLS, which is designed to keep online communications between a client and server private. As a result, an attacker could read encrypted Internet communications as well as steal session cookies and impersonate users.
The latest POODLE flaw - in TLS version 1.2 and before - was discovered by Google security engineer Adam Langley, who says in a Dec. 8 blog post that before publicly disclosing the flaw, he first alerted all vendors that he believed to be at risk, including F9 Networks, which manufactures a widely used load balancer. The vulnerability has now been designated as CVE 2014-8730.
To date, no POODLE attacks against TLS have been seen, but vulnerability management firm Qualys estimates that millions of browsers, not to mention one in 10 websites, are vulnerable to related attacks. The company offers a free test to identify websites that are vulnerable to the flaw, and as of December 10, the list of vulnerable sites included those run by Southwest Airlines, Brigham Young University, Craigslist and Starbucks, as well as Bank of America and JPMorgan Chase.
The first POODLE vulnerability to be found existed in version 3 of Secure Sockets Layer, or SSLv3, which is a 15-year-old cryptographic protocol that's designed to secure Internet communications. As of Oct. 14, when the vulnerability was disclosed, most browsers included - although longer used - SSLv3. But an attacker could force a browser to "downgrade" to that vulnerable cryptographic protocol.
Vendors Issue Patches
Application delivery networking vendors F5 Networks and A10 Networks have confirmed that some of their products are vulnerable to POODLE attacks against TLS. In particular, F5 Networks reports that the flaw exists in 20 of its products - ranging from the BIG-IP Edge Gateway and BIG-IP Link Controller to FirePass and LineRate - and to date has issued patches and workarounds for some affected products.
A10 Networks has also issued patches for its Application Delivery Controller range of products, and says in a security advisory that "at this point, there is no work around and it is necessary to apply the patches provided."
Security experts say more vulnerable products will likely surface soon, as researchers now begin investigating more TLS-using software and hardware.
Beyond the F5 and A10 equipment, meanwhile, "there are other devices known to be affected, and it's possible that the same flaw is present in some SSL/TLS stacks," says Ivan Ristic, director of engineering at Qualys, in a blog post. "We will learn more in the following days."
Meanwhile, some products have yet to be patched against the POODLE flaw in SSL. For example, Kaspersky Lab, confirming some press reports, says its Internet Security anti-virus suite is also at risk from attacks that target POODLE, because the product analyzes HTTPS connections and will enable SSLv3 if a website so requests. "Our specialists are aware of this situation and are currently working on a patch that will remove compatibility with this outdated protocol," Kaspersky spokeswoman Sarah Bergeron tells Information Security Media Group, saying the company plans to release that patch by April 2015.
Until then, Kaspersky says the SSL flaw poses a low risk to users. "Though this version of the protocol is vulnerable and, theoretically, this vulnerability could be exploited to fetch private data, it can only happen if a website does not use up-to-date encryption - and most websites do - and if an attacker succeeds in a complicated man-in-the-middle attack," Bergeron says.
Why POODLE Bites
The POODLE vulnerability exists in TLS - as in SSL before it - because of how both of those crypto protocols pad - or expand - a plain text message to work with a particular cryptosystem. "Even though TLS is very strict about how its padding is formatted, it turns out that some TLS implementations omit to check the padding structure after decryption," Ristic says. "Such implementations are vulnerable to the POODLE attack even with TLS."
Johannes Ullrich, dean of research for the SANS Technology Institute, says in a blog post about the TLS vulnerablity: "The problem is an implementation issue, not so much a problem with the standard as in the original SSLv3 instance."
Easier to Exploit Than SSL
Security experts say that the TLS vulnerability is easier to exploit than the POODLE attack against SSLv3 - and earlier versions - that was uncovered in October. Since then, security experts have urged anyone using a browser that was still SSLv3-compatible to upgrade in order to mitigate the threat from related man-in-the-middle attacks.
"We're done pretty well at killing off SSLv3 in response to that," says Google's Langley. "Chrome 39 - released Nov 18th - removed fallback to SSLv3 and Chrome 40 is scheduled to remove SSLv3 completely. Firefox 34 - released Dec 1st - has already removed SSLv3 support." Microsoft, meanwhile, says that it's disabled SSLv3 support in all supported versions of Internet Explorer, which currently includes IE10 though IE12, and that all of its cloud-based applications should be secured soon too.