(Padding Oracle On Downgraded Legacy Encryption)
Release Date : 14th October, 2014
CVE No. :
CVE-2014-3566
Attack on : SSL v3.0
Type : Protocol
Flaw
Impact : Can steal “secure” HTTP
cookies or other
bearer tokens such as HTTP Authorization header contents.
SSL 3.0 is an obsolete and insecure protocol. SSL 3.0 has been
replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2, but TLS
implementations remain backwards compatible with SSL 3.0
to inter-operate with legacy systems in the interest of a smooth
user experience. The SSL handshake method provides facilities for authenticated
version negotiation, so normally the latest protocol version common to the
client and the server will be used. However, even if a client and server both
support a version of TLS, the security level offered by SSL 3.0 is still
relevant since many clients implement a protocol downgrade dance to work around
server-side inter-operability bugs.
The POODLE attack takes advantage of the protocol version negotiation
feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this
new vulnerability to decrypt select content within the SSL session. The
decryption is done byte by byte and will generate a large number of connections
between the client and server.
To work with legacy servers, many TLS clients implement a
downgrade dance: in a first handshake attempt, offer the highest protocol
version supported by the client; if this handshake fails, retry (possibly
repeatedly) with earlier protocol versions. Unlike proper protocol version
negotiation (if the client offers TLS 1.2, the server may respond with, say,
TLS 1.0), this downgrade can also be triggered by network glitches, or by
active attackers. So if an attacker that controls the network between the
client and the server interferes with any attempted handshake offering TLS 1.0
or later, such clients will readily confine themselves to SSL 3.0.
In the web setting, this SSL 3.0 weakness can be exploited by a
man in the middle attacker to decrypt “secure” HTTP cookies, using
techniques from the BEAST attack. To launch the POODLE attack, run a JavaScript
agent on http://example.com (Evil site) to get the victim’s browser to send
cookie bearing HTTPS requests to https://example.com, and intercept and modify
the SSL records sent by the browser in such a way that there’s a non-negligible
chance that example.com will accept the modified record. If the modified record
is accepted, the attacker can decrypt one byte of the cookies.
The attacker controls both the request path and the request body,
and thus can induce requests such that the following two conditions hold:
● The padding fills an entire block.
● The cookies’ first as of yet unknown byte appears as
the final byte in an earlier block.
Recommendations:
- The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it.
- Disabling SSL 3.0 entirely right away may not be practical if it is needed occasionally to work with legacy systems. So, it is advisable to implement TLS_FALLBACK_SCSV on browser and server, which will make downgrade attacks impossible.
