POODLE 2.0: Here We Go Again (CVE-2014-8730)

Photo By Karin Jonsson (Flickr: Poodle) [CC-BY-2.0 via Wikimedia Commons]

Photo By Karin Jonsson (Flickr: Poodle) [CC-BY-2.0 via Wikimedia Commons

POODLE 2.0: Here We Go Again

It was just a bit more than an month ago when the POODLE vulnerability in SSLv3 was discovered and sent sysadmins around the world scrambling.

You might remember that the original POODLE vulernability affected SSLv3, an older protocol that has been largely replaced by the TLS protocol. Since SSLv3 was only available on many systems as a measure to support very old web browsers, it was no big deal to disable it and thereby remove the vulnerabilty.

But today news is spreading that some TLS implementations can be vulnerable too and that as many as 10% of all web sites maybe affected. This new vulnerability has been labeled CVE-2014-8730 and it’s much more serious that the original POODLE.

It’s time to scramble again.

Technical Details

Web browsers will be the main targets of a malicious exploit of the POODLE 2.0 vulnerability. By injecting a small amount of JavaScript into HTTP/HTTPS stream the attacker can decrypt cookies one character at time. Researchers calculate that it would take 256 attempts to decrypt one cookie character or 4096 attempts to decrypt a 16 character cookie. Each attempt can occur within milliseconds making it easy for an attacker to gain access to session cookies which are used to validate access. This is similar to sniffing attacks that used to occur on shared wifi networks before vendors started using secure channels for all session tracking, only now those session ids are vulnerable too.

Putting this into real terms it means that when you log into a secure web site a man-in-the-middle could grab your session cookie and use it to have full access to that site.

For sysadmins, this means it is important to patch now in order to protect your corporate sites. Already F5 Networks has reported that some of its load balancers are vulnerable, but a patch is available. Load balancers from A10 Networks are vulnerable too and a patch is expected from them later today. Update: A10 patches can be found here: http://www.a10networks.com/support/security_advisories.php

Monitoring for POODLE 2.0

When the original POODLE vulnerability was discovered we described how to use FrameFlow Server Monitor to make sure the appropriate patches for CVE-2014-3566 were installed for IIS.

We’re waiting on details from Microsoft to see if IIS is affected. So far all signs look good. Qualsys has an online test available that will test for many different vulnerabilities including this new one. We tested all of our outward facing Windows boxes and got a passing grade on all of them. We recommend that you do the same as soon as possible.

One Last Thing

Why the name POODLE? Maybe it seems strange to name a serious security issue after a popular dog breed but POODLE is actually an acroymn for “Padding Oracle On Downgraded Legacy Encryption.” In this case “Oracle” has nothing do with the company, but is a term used in cryptography related to attacks that reveal parts of encrypted data in successive steps.

Thanks for Reading!

We develop server monitoring software that helps sysadmins to make sure their criticial IT systems are running 24×7. If you’re looking for a professional monitoring solution, download our free 30-day edition and see for yourself why our monitoring technology is the best that is out there.