Immediate Patching of your Internet-facing Web Services Against POODLE

Druckfreundlich, PDF & E-Mail

The Bad News: Another age-old vulnerability Unearthed

A vulnerability has been identified in SSL which could allow a man-in-the-middle attack (MITM) where the attacker can snoop on your encrypted traffic and derive it’s plaintext, for example session cookies. This means that the attacker can hijack your banking sessions, for example and siphon off funds.

The CVE identifier for this vulnerability, termed POODLE ( which stands for Padding Oracle On Downgraded Legacy Encryption), is CVE-2014-3566.  The attack is made possible because of a protocol “feature” that allows downgrading the protocol version level, which an attacker can leverage to force a less secure older version – SSL 3.0 in this case.

SSLv3 was deprecated nearly 15 years ago when TLS 1.0 was published in 1999. TLS 1.0 is universally supported since then, however some old browsers, notably IE6 on Windows XP, disable it by default. This constitutes the main attack surface.

The vulnerability details have been covered extensively in numerous excellent posts online, so we will not revisit them here.

If you run a plethora of HTTPS services on heterogeneous platforms, your time-to-patch could be substantial, depending on your vendor’s turnaround times and your own change control processes in place. This could elongate your risk window in the face of ready-to-use exploit kits beginning to proliferate on the Internet.

The Good News 

If you use the Barracuda Web Application Firewall, you can quickly secure all your HTTPS services in a few seconds by using the bulk edit feature. The Barracuda Web Application Firewall allows fine-grained control of SSL protocols and ciphers using the graphical UI. No need to mess with complex configuration files or command lines.

Begin by navigating to the BASIC>Services page. Select all your HTTPS services using checkboxes on the left of the Service Names. Use the More Actions drop-down to find Edit and click on it. You will find an option to disable SSL v3 for all the services.

If you are editing a single service, the UI will look like the first one below. For bulk edit of services, it will show up as the second one.

Click here for larger view

As soon as you Save these changes, all your HTTPS services will begin denying SSL v3 requests, thus mitigating the vulnerability.

The impact of this vulnerability on the management UI of the product itself is relatively insignificant. This is assuming that most security administrators would have moved on from IE6 a long time ago. As long as you are using a modern web browser to administer the product, there is no risk here.

We will keep posting developments on this vulnerability here and in the product forums at:

If you have not already subscribed to the forums, we encourage you to do so at your earliest convenience.

Nach oben scrollen