POODLE can Hurt Some TLS Applications

Wednesday, December 10, 2014 @ 01:12 PM gHale

The SSL 3.0 communication protocol vulnerability exploited through the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack can also bring about issues with some Transport Layer Security (TLS) applications.

In mid-October, researchers released information about a method that allowed an attacker to decrypt sensitive information, such as authentication cookies, sent through an SSL connection.

POODLE Fix It Released by Microsoft
Cisco Working to Fix POODLE Vulnerabilities
POODLE Marks Rough End to SSL 3.0

The attack required the bad guys to intercept the communication from the client to the HTTPS server and to downgrade the connection to SSL 3.0, which relies on a vulnerable CBC-mode (cipher-block chaining) cipher suite to protect the data in transit.

At the time, researchers believed POODLE affected only SSL 3.0, but a Google security engineer found the issue extends to TLS implementations with an SSL 3.0 decoding function.

Older versions of NSS (Network Security Services), Mozilla’s cryptographic library employed in different products of the company, including Firefox, suffer from the problem, and so are other products, as Google’s Adam Langley discovered.

He found websites with load balancing devices from F5 Networks and A10 Networks were vulnerable.

Even if the sites use TLS, if the protocol relies on a decoding function from SSL 3.0, the padding bytes do not end up defined for the encrypted packets. As such, the padding structure cannot end up verified after decryption, making a POODLE attack possible.

F5 and A10 are the vendors with vulnerable products identified by Langley, but the security engineer believes that others may also suffer from the issue.

“F5 have posted patches for their products and A10 should be releasing updates today. I’m not completely sure that I’ve found every affected vendor, but now that this issue is public, any other affected products should quickly come to light,” Langley said in a Monday blog post.

Leave a Reply

You must be logged in to post a comment.