POODLE Patch Post: Monitoring IIS Patches for CVE­-2014­-3566

Photo By Karin Jonsson (Flickr: Poodle) [CC-BY-2.0 via Wikimedia Commons]
Photo By Karin Jonsson (Flickr: Poodle) [CC-BY-2.0 via Wikimedia Commons
Anyone running web sites on IIS with SSL support should have already rolled out patches for CVE­-2014­-3566, the vulnerability in SSL v3 which has been labeled POODLE.

What is the POODLE Bug?

Google researchers have found a severe flaw in an obsolete but still used encryption software, which could be exploited to steal sensitive data… The POODLE attack can force a connection to “fallback” to SSL 3.0, where it is then possible to steal cookies. Computerworld

FrameFlow Server Monitor Can Verify POODLE Patch Installation

Did you know that you can use FrameFlow Server Monitor to verify that the patch has been installed on all your systems?

IIS checks several registry entries to decide which secure protocols it will accept. For SSL v2 and SSL v3 those entries are found at these registry keys:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 3.0Server

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 2.0Server

Each one of these needs to have a DWORD called “Enabled” with its value set to zero.

Event monitor settings for Poodle vulnerability

Need to Apply and Verify the POODLE Patch?

There’s great thread on Server Fault that offers several tips and techniques for applying the patch.

To use FrameFlow Server Monitor to make sure it has been applied, add two Registry event monitors. Use HKEY_LOCAL_MACHINE for the Root field and in the Key field use one of above listed keys in each event monitor instance.

Turn on the options to warn if the key is missing and if the value is missing. To disable the protocol, you want the value to be zero so set the event monitors to warn if it is greater than zero.


One more thing to remember: if you’ve already applied the patch, make sure that you’ve rebooted the affected systems too. The change won’t take effect until the systems are restarted.