SSL 3.0 Vulnerability “POODLE”

Posted by / Oct 16, 2014 / Categories: Security Alerts / 1 Comment

Earlier today, Google announced a vulnerability in SSL called POODLE, which is short for Padding Oracle On Downgraded Legacy Encryption. The vulnerability is open to man-in-the middle attaks, and allows an attacker to decrypt cipher text by using a padding oracle side-channel attack.

As this is a new vulnerability there are no patches available yet, so the recommendations to mitigate the attack are to disable SSL 3.0 and use TLS (ideally TLS version 1.2 over 1.1. or 1.0) as the vulnerability does not affect TLS. It is however not implementation specific; it is a flaw in the technology design so is not limited to OpenSSL etc.

How to test to see if your are running SSL 3.0

nmap --script ssl-enum-ciphers -p 443 IP_Address_or_domain.tld

What you want to see is…

*SSLv3: No supported ciphers found*

How to disable SSL 3.0 in Nginx

In the Nginx configuration, add this line after the line that reads “ssl on”

*ssl_protocols TLSv1.2 TLSv1.1 TLSv1;*

How to disable SSL 3.0 in Apache

In your apache configuratin file add the following line among the other SSL Directives and then restart apache

SSLProtocol All -SSLv2 -SSLv3

Further References

Google: http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html

OpenSSL: https://www.openssl.org/~bodo/ssl-poodle.pdf

About the author
This article was contributed by Liam Somerville, who is the lead IT Security Engineer for a global financial organisation
1 comment
  • Also in Apache, if your looking to enable Forward Secrecy without having issues with the weak RC4 jumping in, try using the following config before your VirtualHosts, make sure none of your VirtualHosts are overriding the following as well:


    SLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

    If you’re trying to do the above in cPanel, you may struggle, but a work around for this is to login to Web Host Manager (WHM), go to Apache Configuration -> Include Editor then under “Pre-VirtualHost Include” select “All Versions” from the dropdown box then copy and paste the above code and press update. The page you’re editing will look something like this screencap. This will override the “SSL Cipher Suite” under “Global Configuration”, we need to do this because WHM doesn’t let us enter the above string since it doesn’t know how to parse it.

    Once you’re done setting this up, you can test if it was successful by using the Qualys Lab SSL Server Test, this tool will also tell you if your server is vulnerable to any SSL attacks such as POODLE, Heartbleed and BEAST. You can compare your results to my server here Qualys SSL datascribe.co.uk Test.