Patches to fix the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability in SSL first discussed in October have been gradually put in place since its discovery. We’ve recently uncovered that some transport layer security (TLS) implementations may be vulnerable to a variant of the same POODLE attack. This means that secure connections protected via TLS can, in certain conditions, be vulnerable to man-in-the-middle (MITM) attacks, leading to encrypted traffic being decrypted by an attacker.
How Does POODLE Affect TLS?
The original POODLE bug was a flaw in how SSL 3.0 processed the padded data if a cipher was used in cipher-block chaining (CBC) mode. Later protocols (TLS 1.0 up to 1.2) were not thought to be vulnerable to this issue.
However, in some cases, POODLE-like attacks can be mounted against TLS protocols as well, if code is reused by the implementations. Adam Langley, a security expert working for Google, noted on his blog that:
This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken. An IETF draft to prohibit RC4 is in Last Call at the moment but it would be wrong to believe that RC4 is uniquely bad. While RC4 is fundamentally broken and no implementation can save it, attacks against MtE-CBC ciphers have repeatedly been shown to be far more practical. Thankfully, TLS 1.2 support is about to hit 50% at the time of writing.
How Can This New POODLE Attack Be Exploited?
Exploiting this attack would be similar to the original POODLE attack. If an attacker is able to carry out MITM attacks, it is possible that they could be used to decode encrypted traffic and allow an attacker to read that user’s traffic. A single character can be decrypted using 256 requests to the original HTTP server; an eight-character password would require 2,048 requests.
A CVE ID, CVE-2014-8730, has been assigned to this vulnerability. System administrators should consider modifying their TLS configurations to support more secure protocols, cipher modes, and algorithms. End users can use various online testing tools to check the security of sites that they use.
How To Bite Back
There is no “patch” that can be directly applied as the vulnerability lies in the protocol, not in the implementation. Reports have confirmed that application delivery networking vendors such as F5 Networks and A10 Networks have announced that the flaw exists in some of their products, to which the vendors have already issued patches and workarounds. It is thus recommended to apply patches provided by your vendors if vulnerable.
In addition, we advise users to apply the latest Trend Micro™ Deep Security™ update DSRU14-038. We released a rule for Deep Security users which will help detect the traffic from POODLE exploits. The rule is identified as:
- 1006401 – Identified Too Many TLS Alert Messages In TLS Traffic