Form of message tampering
This article is about the security vulnerability. For the dog breed, see
poodle
.
POODLE
CVE identifier(s)
| CVE-2014-3566
|
---|
Date discovered
| October 14, 2014
; 9 years ago
(
2014-10-14
)
|
---|
Discoverer
| Bodo Moller, Thai Duong, Krzysztof Kotowicz (
Google
Security Team)
|
---|
Affected software
| Any software that supports a fallback to
SSL 3.0
|
---|
POODLE
(which stands for "
Padding Oracle On Downgraded Legacy Encryption
") is a
security vulnerability
which takes advantage of the fallback to
SSL 3.0
.
[1]
[2]
[3]
If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Moller, Thai Duong and Krzysztof Kotowicz from the
Google
Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014"
[1]
).
[4]
On December 8, 2014, a variation of the POODLE vulnerability that affected
TLS
was announced.
[5]
The
CVE-ID
associated with the original POODLE attack is
CVE
-
2014-3566
.
F5 Networks filed for
CVE
-
2014-8730
as well, see
POODLE attack against TLS
section below.
Prevention
[
edit
]
To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above. Thus, the authors of the paper on POODLE attacks also encourage browser and server implementation of TLS_FALLBACK_SCSV,
[6]
which will make downgrade attacks impossible.
[1]
[7]
Another mitigation is to implement "anti-POODLE record splitting". It splits the records into several parts and ensures none of them can be attacked. However the problem of the splitting is that, though valid according to the specification, it may also cause compatibility issues due to problems in server-side implementations.
[8]
A full list of browser versions and levels of vulnerability to different attacks (including POODLE) can be found in the article
Transport Layer Security
.
Opera
25 implemented this mitigation in addition to TLS_FALLBACK_SCSV.
[9]
Google's
Chrome
browser and their servers had already supported TLS_FALLBACK_SCSV. Google stated in October 2014 it was planning to remove SSL 3.0 support from their products completely within a few months.
[7]
Fallback to SSL 3.0 has been disabled in Chrome 39, released in November 2014.
[10]
SSL 3.0 has been disabled by default in Chrome 40, released in January 2015.
[11]
Mozilla
disabled SSL 3.0 in
Firefox
34 and ESR 31.3, which were released in December 2014, and added support of TLS_FALLBACK_SCSV in Firefox 35.
[12]
Microsoft
published a security advisory to explain how to disable SSL 3.0 in
Internet Explorer
and
Windows
OS,
[13]
and on October 29, 2014, Microsoft released a fix which disables SSL 3.0 in Internet Explorer on Windows Vista / Server 2003 and above and announced a plan to disable SSL 3.0 by default in their products and services within a few months.
[14]
Microsoft disabled fallback to SSL 3.0 in Internet Explorer 11 for Protect Mode sites on February 10, 2015,
[15]
and for other sites on April 14, 2015.
[16]
Apple's
Safari
(on OS X 10.8, iOS 8.1 and later) mitigated against POODLE by removing support for all CBC protocols in SSL 3.0,
[17]
[18]
however, this left RC4 which is also completely broken by the RC4 attacks in SSL 3.0.
[
citation needed
]
. POODLE was completely mitigated in OS X 10.11 (El Capitan 2015) and iOS 9 (2015).
To prevent the POODLE attack, some web services dropped support of SSL 3.0. Examples include
CloudFlare
[19]
and
Wikimedia
.
[20]
Network Security Services
version 3.17.1 (released on October 3, 2014) and 3.16.2.3 (released on October 27, 2014) introduced support for TLS_FALLBACK_SCSV,
[21]
[22]
and NSS will disable SSL 3.0 by default in April 2015.
[23]
[
needs update
]
OpenSSL
versions 1.0.1j, 1.0.0o and 0.9.8zc, released on October 15, 2014, introduced support for TLS_FALLBACK_SCSV.
[24]
LibreSSL
version 2.1.1, released on October 16, 2014, disabled SSL 3.0 by default.
[25]
POODLE attack against TLS
[
edit
]
A new variant of the original POODLE attack was announced on December 8, 2014. This attack exploits implementation flaws of
CBC encryption mode
in the TLS 1.0 - 1.2 protocols. Even though TLS specifications require servers to check the padding, some implementations fail to validate it properly, which makes some servers vulnerable to POODLE even if they disable SSL 3.0.
[5]
SSL Pulse showed "about 10% of the servers are vulnerable to the POODLE attack against TLS" before this vulnerability was announced.
[26]
The CVE-ID for F5 Networks' implementation bug is
CVE
-
2014-8730
. The entry in NIST's NVD states that this CVE-ID is to be used only for F5 Networks' implementation of TLS, and that other vendors whose products have the same failure to validate the padding mistake in their implementations like
A10 Networks
and
Cisco Systems
need to issue their own CVE-IDs for their implementation errors because this is not a flaw in the protocol but in the implementation.
The POODLE attack against TLS was found to be easier to initiate than the initial POODLE attack against SSL. There is no need to downgrade clients to SSL 3.0, meaning fewer steps are needed to execute a successful attack.
[27]
References
[
edit
]
- ^
a
b
c
Moller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014).
"This POODLE Bites: Exploiting The SSL 3.0 Fallback"
(PDF)
.
- ^
Bright, Peter (October 15, 2014).
"SSL broken, again in POODLE attack"
. Ars Technica.
- ^
Brandom, Russell (October 14, 2014).
"Google researchers reveal new Poodle bug, putting the web on alert"
.
- ^
"Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback"
.
Google Online Security Blog
. Retrieved
June 1,
2015
.
- ^
a
b
Langley, Adam (December 8, 2014).
"The POODLE bites again"
. Retrieved
December 8,
2014
.
- ^
B. Moeller, A. Langley (April 2015).
"RFC 7507: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks"
. IETF.
doi
:
10.17487/RFC7507
.
- ^
a
b
Moller, Bodo (October 14, 2014).
"This POODLE bites: exploiting the SSL 3.0 fallback"
.
Google Online Security blog
. Google (via Blogspot)
. Retrieved
October 15,
2014
.
- ^
Langley, Adam (October 14, 2014).
"POODLE attacks on SSLv3"
. imperialviolet.org
. Retrieved
October 16,
2014
.
- ^
Molland, Havard (October 15, 2014).
"Security changes in Opera 25; the poodle attacks"
.
Opera security blog
.
Opera
. Retrieved
October 16,
2014
.
- ^
Ilascu, Ionut.
"Chrome 39 Disables SSLv3 Fallback, Awards $41,500 / €33,000 in Bounties"
. Softpedia
. Retrieved
December 3,
2014
.
- ^
"Issue 693963003: Add minimum TLS version control to about:flags and Finch gate it"
.
Chromium Code Reviews
. Retrieved
April 16,
2015
.
- ^
"The POODLE Attack and the End of SSL 3.0"
.
Mozilla blog
. Mozilla. October 14, 2014
. Retrieved
October 15,
2014
.
- ^
"Vulnerability in SSL 3.0 Could Allow Information Disclosure"
.
Microsoft TechNet
. Microsoft. October 14, 2014
. Retrieved
October 15,
2014
.
- ^
"Security Advisory 3009008 revised"
.
Microsoft TechNet
. Microsoft. October 29, 2014
. Retrieved
October 30,
2014
.
- ^
- ^
"February 2015 security updates for Internet Explorer"
. IEBlog. April 14, 2015
. Retrieved
April 15,
2015
.
- ^
"About Security Update 2014-005"
.
apple.com
. Retrieved
June 1,
2015
.
- ^
"About the security content of iOS 8.1"
.
apple.com
. Retrieved
June 1,
2015
.
- ^
Prince, Matthew (October 14, 2014).
"SSLv3 Support Disabled By Default Due to POODLE Vulnerability"
.
Cloudflare blog
. Cloudflare
. Retrieved
October 15,
2014
.
- ^
Bergsma, Mark (October 17, 2014).
"Protecting users against POODLE by removing SSL 3.0 support"
.
Wikimedia blog
. Wikimedia Foundation
. Retrieved
October 17,
2014
.
- ^
"NSS 3.17.1 release notes"
. Mozilla. October 3, 2014. Archived from
the original
on April 19, 2019
. Retrieved
October 27,
2014
.
- ^
"NSS 3.16.2.3 release notes"
. Mozilla. October 27, 2014. Archived from
the original
on April 19, 2019
. Retrieved
October 27,
2014
.
- ^
"Disable SSL 3 by default in NSS in April 2015"
. mozilla.dev.tech.crypto. October 27, 2014
. Retrieved
October 27,
2014
.
- ^
"OpenSSL Security Advisory [15 Oct 2014]"
.
OpenSSL
. October 15, 2014
. Retrieved
October 20,
2014
.
- ^
"LibreSSL 2.1.1 released"
. LibreSSL. October 16, 2014
. Retrieved
October 20,
2014
.
- ^
Ristic, Ivan (December 8, 2014).
"Poodle Bites TLS"
. Retrieved
December 8,
2014
.
- ^
Stosh, Brandon (December 8, 2014).
"Nasty POODLE Variant Bypasses TLS Crypto Affecting Over 10 Percent of the Web"
. Retrieved
December 8,
2014
.
External links
[
edit
]
|
---|
Protocols and technologies
| |
---|
Public-key infrastructure
| |
---|
See also
| |
---|
History
| |
---|
Implementations
| |
---|
Notaries
| |
---|
Vulnerabilities
| Theory
| |
---|
Cipher
| |
---|
Protocol
| |
---|
Implementation
| |
---|
|
---|