SSLv3 "POODLE" Vulnerability CVE-2014-3566
Websense® Security Labs are aware of a critical vulnerability that exists in SSLv3, dubbed as "POODLE" by the Google Security Team. The vulnerability has also been explained in a security advisory by OpenSSL and given the CVE number CVE-2014-3566.
Readers, take note! This is a major security risk, and you should take action immediately to mitigate this issue. Both Google and Mozilla are planning on removing all support for SSLv3 in their browsers in the coming months. Mozilla Firefox will discontinue support for SSLv3 on November 25 and Google Chrome will also stop supporting SSLv3 "in the coming months".
How is it exploited?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. TLS (Transport Layer Security) has since superseded SSL, however support for the older SSL version 3.0 still exists in the majority of applications and can therefore lead to software (such as browsers) being forced into using a vulnerable SSLv3 connection.
The vulnerability can be exploited by inducing a client's browser into making multiple browser requests over HTTPS with SSLv3, and inferring details about the encrypted contents that will allow an attacker to compromise the security of SSLv3.
What is the risk?
Websense Security Labs researchers view this as a critical vulnerability that is likely to be exploited in the wild, and can result in significant data theft. Research currently indicates that the vulnerability is only applicable to client-side software, and is most likely to affect web browsers. It is strongly recommended that you take the appropriate steps to secure any affected applications using SSLv3.
What actions should you take?
There are several ways of mitigating this vulnerability. Despite the issue being client-side, taking steps to secure server-side applications will prevent the issue from being exploited in the first place. It is recommended to follow as many of the steps below as possible, listed in order of priority as determined by Websense Security Labs researchers:
- End Users: Upgrade your internet browsers to their latest versions.
- End Users & Developers: Disable SSL 3.0 support in all client-based applications where possible. It is most likely that the issue will affect browsers; please consult your browser's documentation for information on how to disable SSLv3 support. All other software supporting SSLv3 should also be updated as soon as possible.
- Developers & System Administrators: Disable SSL 3.0 support in all server-based applications where possible, as this will prevent a vulnerable client from using SSLv3.
- Developers & System Administrators: If disabling SSL 3.0 immediately is unacceptable, use TLS_FALLBACK_SCSV in all TLS implementations and ensure both client and server implement the fallback mechanism.
Websense Security Labs will continue to monitor this issue as it evolves, and will update this blog accordingly with any significant new information.