Prevent SSL POODLE attacks
The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack is a fallback attack that tries to downgrade the used TLS protocol version.
Security assessment
CVSS vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Vulnerability information
The POODLE attack (Padding Oracle On Downgraded Legacy Encryption) was discovered by Bodo Möller, Thai Duong, and Krzysztof Kotowicz from the Google Security Team. It was announced publicly in October 2014 in a paper called This POODLE Bites: Exploiting The SSL 3.0 Fallback.
This attack is made up of two parts. First, a man-in-the-middle attack allows an attacker to force a connection between a server and a client down from transport layer security (TLS) protocol encryption to SSL 3.0 encryption. This will enable them to eavesdrop on the traffic between the client and the server and then decipher it.
The second part is a padding oracle attack that reveals the encrypted information (ciphertext) by repeatedly sending requests to a web server. This part of the attack exploits a security vulnerability in the CBC (cipher block chaining) encryption mode of SSL 3.0. Hence the need to downgrade that version of the protocol.
If a POODLE attack is successful, it allows an attacker to reveal sensitive data such as passwords, session cookies, or other authentication tokens that enable them to impersonate a user and gain access to a website. It can also lead to a leak of personal data, credit card numbers, and health records.
In other words, several conditions need to be in place for a POODLE attack to be possible and succeed. Attackers must:
- Launch a successful man-in-the-middle attack (MITM) - which requires a particular set of circumstances in itself
- Force the victim to run malicious JavaScript and cause the server to downgrade or fall back on SSL 3.0
- Send requests to the server by varying the input to exploit the CBC vulnerability
- Monitor the server responses and resulting ciphertext to decrypt the information and gain access
If attackers can execute all of these steps, a POODLE attack is successful. In total, it only takes several minutes to complete the attack, given that the above conditions are met.
Any system that supports SSL 3.0 with CBC or implements an SSL/TLS suite is vulnerable to this attack. In addition, systems that reference SSL/TLS libraries (such as OpenSSL) are also possible targets. Moreover, as of 2014, it has been found that TLS protocol versions 1.0 - 1.2 are also vulnerable to a POODLE attack and are even easier targets because no fallback to SSL is required as part of the attack.
About attacks
Here is how a POODLE attack is executed, step by step:
- An attacker executes a man-in-the-middle-attack which is more easily achieved on public networks with low security. This is often done by forcing users to run malicious JavaScript on an innocently-looking website.
- The MITM attack allows them to eavesdrop on the communication between the client and the server and interfere and add input to this traffic. This communication remains encrypted, so the attacker has to cause the server to downgrade to SSL 3.0 to exploit its vulnerability.
- After successfully causing the server to switch to SSL 3.0 through a protocol downgrade dance, the attacker can begin with the padding oracle attack.
- The attacker exploits the SSL 3.0 padding vulnerability, which allows them to recover ciphertext by sending numerous cookie-bearing HTTP POST requests to the server with varying inputs in the last block of the request.
- By monitoring server responses and varying the input, attackers can recover the contents byte-by-byte. One byte of the cookie typically takes no more than 256 attempts to be revealed, and for a 16-byte cookie, this equals a maximum of 4096 requests.
Prevent attacks
To prevent the POODLE attack, SSL 3.0 support must be disabled from both servers and browsers, and a secure TLS configuration must be implemented to support TLS 1.2 or higher.
In addition, you must also ensure to enable TLS_FALLBACK_SCSV. This protocol extension guarantees that the protocol never falls back to earlier protocol versions below the highest SSL or TLS version supported by the server during a negotiation.
Implementing TLS_FALLBACK_SCSV means that SSL is only used when an existing legacy system is involved, not a downgrade attack that forces the server to skip versions and downgrade to SSL 3.0. Effectively, this stops the forced downgrade from occurring and thereby the whole POODLE attack.