POODLE

(Padding Oracle On Downgraded Legacy Encryption)

Release Date  : 14^th October, 2014

CVE No.           : CVE-2014-3566

Attack on        : SSL v3.0

Type                : Protocol Flaw

Impact            : Can steal “secure” HTTP cookies or other bearer tokens such                                                as HTTP Authorization header contents.

SSL 3.0 is an obsolete and insecure protocol. SSL 3.0 has been replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2, but TLS implementations remain backwards compatible with SSL 3.0 to inter-operate with legacy systems in the interest of a smooth user experience. The SSL handshake method provides facilities for authenticated version negotiation, so normally the latest protocol version common to the client and the server will be used. However, even if a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around server-side inter-operability bugs.

The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.

In the web setting, this SSL 3.0 weakness can be exploited by a man in the middle attacker to decrypt “secure” HTTP cookies, using techniques from the BEAST attack. To launch the POODLE attack, run a JavaScript agent on http://example.com (Evil site) to get the victim’s browser to send cookie bearing HTTPS requests to https://example.com, and intercept and modify the SSL records sent by the browser in such a way that there’s a non-negligible chance that example.com will accept the modified record. If the modified record is accepted, the attacker can decrypt one byte of the cookies.

The attacker controls both the request path and the request body, and thus can induce requests such that the following two conditions hold:

● The padding fills an entire block.

● The cookies’ first as of yet unknown byte appears as the final byte in an earlier block.

Recommendations:

• The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it.
• Disabling SSL 3.0 entirely right away may not be practical if it is needed occasionally to work with legacy systems. So, it is advisable to implement TLS_FALLBACK_SCSV on browser and server, which will make downgrade attacks impossible.