SSLv3 vulnerability: POODLE

POODLE :  Padding Oracle On Downgraded Legacy Encryption : – This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

Three Google security researchers discovered the flaw and detailed how it could be exploited through what they called a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566).

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechansim known as Transport Layer Security (TLS).

How to test this against your Server:

openssl s_client -connect <server>:443  -ssl3

If above command succeeds, it indicates that SSLV3 is enabled on your server.

Script @ https://troubleshootblog.com/2014/10/20/ssl-v3-poodle-shell-script-to-verify-the-server/

To fix this, disable sslV3 on your server.

How to fix this on Apache:

> SSLProtocol All -SSLv2 -SSLv3                   <- Removes SSLv2 and SSLv3 from Config

> service apache restart                          <- Restart server

Advertisements