In mid-October a serious security bug in Secure Socket Layer
(SSL) 3.0 was revealed. SSL is the technology that many commercial web sites
use to safeguard the security and privacy of communications with clients and
customers. Given the name “POODLE,” an acronym for Padding Oracle On Downgraded
Legacy Encryption, all systems and applications that utilize the SSL 3.0 with
cipher-block chaining (CBC) mode were vulnerable. Here, an attacker would
inject malicious JavaScript into the victim’s browser allowing them to observe
and tamper with encrypted network traffic on the wire.
On December 8th, it was announced that there was
a new POODLE flaw that extends to specific versions of an SSL-like encryption
standard known as Transport Layer Security (TLS). As POODLE has been repurposed
to attack TLS, it was discovered that although TLS is very strict about how its
padding is formatted, some implementations omit to check the padding structure
after decryption takes place. The main target of POODLE TLS is browsers, as the
attacker must inject malicious JavaScript to initiate the attack. The impact of
this issue is very similar to POODLE and even easier to execute as there is no
need to downgrade modern clients down to SSL 3 first. If an attack is
successful it will take about 256 requests to uncover one cookie character or
only 4096 requests for a 16-character cookie.
The POODLE attack is considered to have less potential risk
than the Shellshock and Heartbleed attacks but that does not mean it should be
ignored. Users can disable SSL 3 in their browsers easily to protect themselves
from potential attacks. Web site operators should take the action to disable
SSL 3 on their servers as soon as possible even if the most recent TLS version
is supported. An active MITM attacker can force browsers to downgrade their
connections down to SSL 3 and then be exploited.
No comments:
Post a Comment