The POODLE attack against SSLv3 that researchers from Google revealed earlier this year also affects some implementations of TLS and vendors now are scrambling to release patches for gear affected by the vulnerability.
Soon after the POODLE attack was disclosed in October, researchers began looking into whether it might affect protocols other than SSLv3. It quickly became clear that under some circumstances, TLS. the replacement protocol for SSL, would be vulnerable to POODLE, as well. Researcher Adam Langley of Google wrote a scanner to look for sites that are using TLS and are vulnerable to the attack.
POODLE is an attack that allows an attacker to take advantage of the fact that when a secure connection attempt fails, under some circumstances the Web server will fall back to an older protocol and try to renegotiate the secure connection. If the server supports SSLv3, an old protocol, and the attacker can force the failed connection attempt, the attacker can then execute a padding oracle attack against the server and eventually decrypt the contents of the secure connection.
“We’re removing SSLv3 in favour of TLS because TLS fully specifies the contents of the padding bytes and thus stops the attack. However, TLS’s padding is a subset of SSLv3’s padding so, technically, you could use an SSLv3 decoding function with TLS and it would still work fine. It wouldn’t check the padding bytes but that wouldn’t cause any problems in normal operation. However, if an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections,” Langley wrote in a blog post explaining the issue with TLS.
“Unfortunately, I found a number of major sites that had this problem. At least one of whom I had good enough contacts at to quickly find that they used an F5 device to terminate connections.”
F5, which sells a variety of security and other appliances, has released patches for its affected products. Langley also discovered that some products from A10 Networks are vulnerable to the POODLE attack on TLS, but it took two weeks for him to get in touch with the right contact at the company. A10 is due to release its patches on Tuesday. Langley also noted that there may well be other vendors with vulnerable products that haven’t been discovered yet.
“This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken. An IETF draft to prohibit RC4 is in Last Call at the moment but it would be wrong to believe that RC4 is uniquely bad,” Langley said.
Image from Flickr photos of All-Nite Images.