SSL Poodle

Gavriliţă CristianCebanu Ghenadie

Contents

• History• Vulnerability description• Example• Remedies• Bibliography

History

• "Padding Oracle On Downgraded Legacy Encryption“

• CVE-2014-3556

• September, 2014

• Bodo Möller, Thai Duong, Krzysztof Kotowicz

• Google Security Team

Vulnerability Description

• It’s not an implementation vulnerability• It’s a design vulnerability• SSLv3 is affected with CBC encryption

Attack conditions

• Padding-ul ocupă un bloc întreg (criptat în C n).• Primul byte din cookie încă necunoscut, apare

ca un ultim byte într-un bloc anterior (criptat ca şi Cj)

Core Point

• SSL 3.0 is defined as ignoring the padding bytes (except the last). These bytes are not covered by the MAC and don't have any defined value

• TLS 1.0 is not vulnerable because in TLS 1.0, the protocol specifies that all padding bytes must have the same value, and libraries implementing TLS verify that these bytes have the expected values.

CBC encryption

CBC decryption

Practical attack

• The main and about only plausible scenario where such conditions are met is a Web context: the attacker runs a fake WiFi access point, and injects some Javascript of their own as part of a Web page (HTTP, not HTTPS) that the victim browses. The evil Javascript makes the browser send requests to a HTTPS site (say, a bank Web site) for which the victim's browser has a cookie. The attacker wants that cookie.

Remedies (Client side)• Firefox users can type about:config into their address bar and then

security.tls.version.min into the search box. This will bring up the setting that needs to be changed from 0 to 1.

Remedies (Client side)

• On Chrome you can add the command line flag --ssl-version-min=tls1

Remedies (Client side)

• Fixing up Internet Explorer is also pretty easy. Go to Settings, Internet Options and click on the Advanced tab. Scroll down until you see the Use SSL 3.0 checkbox and uncheck it

Remedies (Server side)

• Ngnix– ssl_protocols TLSv1 TLSv1.1 TLSv1.2– sudo nginx –t – sudo service nginx restart

Remedies (Server side)

• HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

Remedies (Server side)

• Apache– SSLProtocol All -SSLv2 -SSLv3– apachectl configtest– sudo service apache2 restart

TLS_FALLBACK_SCSV

• TLS_FALBACK_SCSV • innapropriate_fallback

SSL3 protocol check in TOP 20 banks

• 2 Weeks after announcement of SSL Poodle vulnerability

• http://www.ssllabs.com/• From 20 analyzed bank:– 15 didn’t closed SSL3;– 2 used only SSL3;– 3 closed SSL3 completely;– 2 closed SSL3 only for individual persons;

www.info.uaic.ro

Conclusions

• SSLv3 - 1/256 (2-8)

• TLS 1/18446744073709551616 (2-64)

• [1] This Poodle Bites: Exploiting the SSL 3.0 Fallback, Bodo Moller, Thai Duong, Krzysztof Kotowicz, Google, Septembrie 2014

• [2] SSL V3 goes to the dogs - Poodle kills off protocol, https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

• [3] http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

• [4] http://habrahabr.ru/company/mailru/blog/241113/• [5] http://habrahabr.ru/company/first/blog/242493/• [6] https://support.microsoft.com/kb/187498/en-us