SSLv3 POODLE Vulnerability Official Release

Published: 2014-10-14
Last Updated: 2014-10-15 14:03:16 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Finally we got an official announcement. For all the details, jump straight to the original announcement [1]. Below see the TL;DR; version:

The problem is limited to SSLv3. SSLv3 is often considered similar to TLSv1.0, but the two protocols are different.

SSLv3 had issues in the past. Remember the BEAST attack? It was never resolved (other then moving to TLS 1.1/2). The only alternative was to use a stream cipher like RC4, which had its own problems.

But this POODLE issue is different. With block ciphers, we have a second problem: What if the block to be encrypted is too short? In this case, padding is used to make up for the missing data. Since the padding isn't really considered part of the message, it is not covered by the MAC (message authorization code) that verified message integrity.

So what does this mean in real live? The impact is similar to the BEAST attack. An attacker may either play MitM, or may be able to decrypt parts of a message if the attacker is able to inject data into the connection just like in the BEAST attack. The attack allows one to decrypt one byte at a time, if the attacker is able to inject messages right after that byte that include only padding.

What should you do: Disable SSLv3. There is no patch for this. SSLv3 has reached the end of its useful life and should be retired. 

This isn't a "patch now". Give it some time, test it carefully, but get going with it. The other problem is that this is a client and a server issue. You need to disable SSLv3 on either. Start with the servers for highest impact, but then see what you can do about clients.

The other option to "fix" this problem is to use SSL implementations that take advantage of the TLS_FALLBACK_SCSV feature. This feature notifies the other side that you first tried the stronger cipher. This way, they can reject the downgrade attempt that may have been introduced by a MitM attack. But it isn't clear which implementations use this feature at this point, and which don't. A patch for OpenSSL 1.0.1 was released earlier today implementing TLS_FALLBACK_SCSV

FAQ

To test if your server is vulnerable: Use https://ssltest.com

To test if your client is vulnerable: We setup a test page at https://www.poodletest.com . If you can connect, then your client supports SSLv3 .

So far, we tested :

  Firefox 32 IE 11 Safari 7.1 Chrome 37 Opera
Windows 7  ok vuln vuln vuln  
OS X 10.9.5 ok N/A vuln vuln  
iOS 8.0.2 vuln N/A vuln vuln vuln

To turn off SSLv3 support in Internet Explorer 11:

Setting -> Internet Options -> Advanced Tab -> Uncheck "SSLv3" under "Security".

 

[1] https://www.openssl.org/~bodo/ssl-poodle.pdf

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)

OpenSSL Vulnerability leaked via OpenBSD patch (NOT!)?

Published: 2014-10-14
Last Updated: 2014-10-14 22:05:39 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Yesterday, a number of news sites published speculative reports about a possible OpenSSL bug to be fixed today. According to these reports, the bug affects SSL 3, and is "critical". Can't wait for the official announcement to see what is actually happening here ;-)

Initially, it looked like an OpenBSD patch lead to an answer, but turns out the patch was old (thx to those who wrote in and responded, in particular based on the tweet by @martijn_grooten ). But instead, there are new leads now, in particular a discussion on Stackexchange [1]. In this discussion, a comment by Thomas Pornin outlines how padding in SSLv3 can lead to MitM attacks. This would be an outright attack against the SSLv3 protocol, and less against a specific implementation. It would affect clients as well as servers. 

We will update this post as we learn more. At this point: Don't panic and wait for a patch from your respective vendor. We are not aware of any active exploitation of this problem, but please let us know if you see any evidence of that happening.

If you choose to disable SSLv3 on a server, but leave TLS 1.0 enabled, Windows XP with IE 6 will no longer be able to connect (but older versions of IE will be able to connect from Windows XP machines).

How can you test if a server supports SSLv3? Either use ssllabs.com, or using the openssl client: (if it connects, it supports SSLv3)

openssl s_client -ssl3 -connect [your web server]:443 

How can I check if my browser can live without SSLv3? If you can read this, then you support TLSv1 or higher. I turned off SSLv3 support on this site for now. But pretty much all browsers support SSLv3.

You tell us not to panic, but you turned of SSLv3? Yes. I wanted to see what happens if I turn off SSLv3. So far, the only issue I found was Windows XP with IE 6, a configuration I probably don't want to support anyway.


[1] http://chat.stackexchange.com/transcript/message/18152298#18152298

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)
Updates for Firefox and Thunderbird. http://www.mozilla.org/firefox/new/

Microsoft October 2014 Patch Tuesday

Published: 2014-10-14
Last Updated: 2014-10-14 20:08:43 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Microsoft only published 8 instead of the promised 9 bulletins. Also, of particular interest is MS14-060 which was pre-announced by iSight Partners. iSight has seen this vulnerability exploited in some "APT" style attacks against NATO/US military interests and attributes these attacks to Russia. Attacks like this have happened with many Office vulnerabilities in the past, but it is unusual for a company to announce the respective attacks and CVE numbers ahead of Microsoft's bulletin release. Note that we got a total of 3 already exploited vulnerabilities in this month's release. Don't believe patching fast will protect you. You are probably a few weeks if not months behind at the time the patch is released.

Overview of the October 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-056 Cumulative Security Update for Internet Explorer (replaces MS14-052)
Microsoft Windows, Internet Explorer
CVE-2014-4123, CVE-2014-4124, CVE-2014-4126, CVE-2014-4127, CVE-2014-4128, CVE-2014-4129, CVE-2014-4130, CVE-2014-4132, CVE-2014-4133, CVE-2014-4134, CVE-2014-4137, CVE-2014-4138, CVE-2014-4141, CVE-2014-4123, CVE-2014-4124, CVE-2014-4126, CVE-2014-4127, CVE-2014-4128, CVE-2014-4129, CVE-2014-4130, CVE-2014-4132, CVE-2014-4133, CVE-2014-4134, CVE-2014-4137, CVE-2014-4138, CVE-2014-4140, CVE-2014-4141
KB 2987107

CVE-2014-4123 has been exploited.

Severity:Critical
Exploitability: 1
Critical Important
MS14-057 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (replaces MS12-016)
Microsoft Windows, Microsoft .NET Framework

CVE-2014-4073
CVE-2014-4121
CVE-2014-4122
KB 3000414 No. Severity:Critical
Exploitability: 2
Critical Critical
MS14-058 Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (replaces MS14-015)
Microsoft Windows

CVE-2014-4113
CVE-2014-4148
KB 3000061 Yes. Used in Limited Attacks Severity:Critical
Exploitability: 0
Critical Critical
MS14-059 Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass 
Microsoft Developer Tools

CVE-2014-4075
KB 2990942

Publicly disclosed,not
exploited. 

Severity:Important
Exploitability: 3
Less Important Important
MS14-060 Vulnerability in Windows OLE Could Allow Remote Code Execution  (replaces MS12-005)
Microsoft Windows

CVE-2014-4114
KB 3000869 yes. against powerpoint. See iSight disclosure. Severity:Important
Exploitability: 0
Critical Important
MS14-061 Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (MS14-034, MS14-017)
Microsoft Office, Microsoft Office Services, Microsoft Office Web Apps

CVE-2014-4117
KB 3000434 No. Severity:Important
Exploitability: 1
Critical Important
MS14-062 Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (MS09-040)
Microsoft Windows

CVE-2014-4971
KB 2993254 publicly disclosed but not exploited. Severity:Important
Exploitability: 1
Important Important
MS14-063 Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege 
Microsoft Windows

CVE-2014-4115
KB 2998579 No. Severity:Important
Exploitability: 1
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical enviro\ nments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical \ deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to t\ est and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or lei\ sure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: mspatchday
3 comment(s)

Adobe October 2014 Bulletins for Flash Player and Coldfusion

Published: 2014-10-14
Last Updated: 2014-10-14 18:55:55 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Adobe published two security bulletins today:

APSB-22 [1] : fixes 3 vulnerabilities in Adobe Flash Player as well as in Adobe Air. The vulnerabilities are rated with a priority of "1" for Flash Player running on Windows and OS X , which means they have already been exploited in targeted attacks.

APSB-23 [2] : another 3 vulnerabilities, but this time in Cold Fusion. The priority for these updates is "2" which indicates that they have not yet been exploited in the wild. 

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-22.html
[2] http://helpx.adobe.com/security/products/coldfusion/apsb14-23.html

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: adobe patches
0 comment(s)
ISC StormCast for Tuesday, October 14th 2014 http://isc.sans.edu/podcastdetail.html?id=4191

Comments


Diary Archives