POODLE attack digs up downgrade flaw in TLS

Why is the ‘POODLE attack’ causing such a security headache?

POODLE is an acronym of ‘Padding Oracle On Downgraded Legacy Encryption’ (otherwise designated CVE-2014-3556) that was named by the publishers of the disclosure, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz.

Obsolete SSL 3.0 security protocol still being supported

Apologies for the history lesson, but to understand the vulnerabilities that POODLE exploits you need to think 1990s.

The secure sockets layer (SSL) preceded today’s transport layer security (TLS). Both the SSL and TLS are cryptographic protocols providing communication security over the Internet.

The SSL protocol was originally developed by Netscape – you remember, the early browser that preceded Internet Explorer and (briefly) gave Microsoft a run for its money? According to Wikipedia, SSL 3.0 was released back in 1996 when it represented “a complete redesign of the secure sockets layer”.

It may have been a considerable advance in the 1990s, but SSL 3.0 now represents an artefact from the early days of Internet security. Obsolete and insecure, it was replaced, first by TLS 1.0 [1999], then TLS 1.1 [2006], and, in 2008, by TLS 1.2.

TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL 3.0. The differences between these protocols precluded interoperability between TLS 1.0 and SSL 3.0. However, TLS 1.0 did include a means by which a TLS implementation could downgrade the connection to SSL 3.0 – in the interests of a smoother user experience.

As of October 2014, many TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems. POODLE exploits known weaknesses inherent in SSL 3.0 to decrypt sensitive information including secret session cookies, enabling a skilled hacker to hijack user accounts.

‘Downgrade dance’ results in a significant security flaw

To work with legacy servers, TLS clients implement a downgrade dance as follows: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers controlling the network between the client and the server interferes. Hence, added protection measures included in TLS 1.2 such as Advanced Encryption Standard (AES) cipher suites, are rendered useless if the attacker can downgrade communications streams to SSL 3.0.

To quote Möller, Duong, and Kotowicz:

Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher in CBC mode. RC4 is well known to have biases, meaning that if the same secret (such as a password or HTTP cookie) is sent over many connections and thus encrypted with many RC4 streams, more and more information about it will leak. …Unlike with [other] attacks, there is no reasonable workaround. This leaves us with no secure SSL 3.0 cipher suites at all: to achieve secure encryption, SSL 3.0 must be avoided entirely.”

For a full explanation of how the Poodle attack works, see the excellent Security Advisory authored by Bodo Möller, Thai Duong, and Krzysztof Kotowicz (Google, September 2014).

To sum up: POODLE is a flaw in how browsers handle encryption; by negotiating down to SSL 3.0, attackers can alter padding data at the end of a block cipher in a way that forces a slow leak of data. Many of the cipher suites in SSL 3.0 have already been abandoned as insecure, due to small key sizes, biases, and simply having support already removed from browsers.

Geraint Williams, head of Technical Services at IT Governance, advises clients regarding cyber security vulnerability issues. His advice is simple: “Servers and clients should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fallback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.

In particular, web browsers may be vulnerable to this issue because of their step-down protocol negotiation. Ensure that your browsers do not allow SSLv3 as an acceptable encryption method. This may be adjustable in the settings, or through the installation of an additional plugin or extension.

You will need to take measures to protect yourself as both a consumer and provider of any resources that utilize SSL encryption.”

Gavin Millard, EMEA technical director at Tenable Network Security, had similar thoughts: “Hopefully the response from system owners and browser vendors will be the disabling of backward compatibility with SSL 3.0, rather than trying to patch or fix through configuration change. POODLE could be a welcome death blow to an ancient standard, forcing the move towards better encryption for the few that still use it to benefit the many that don’t.”

SSL 3.0’s days as a viable security protocol are numbered, and arguably its removal from the scene will help to protect us all.

If you want to understand more about penetration testing, and how they can help improve your cyber security, then download our free Penetration Testing green paper today >>>