Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0122 Vulnerability in SSLv3 could be exploited through a protocol downgrade attack to reveal clear text data 15 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Secure Sockets Layer version 3 (SSLv3) Operating System: Windows UNIX variants (UNIX, Linux, OSX) Mobile Device Network Appliance Impact/Access: Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Mitigation CVE Names: CVE-2014-3566 Member content until: Friday, November 14 2014 OVERVIEW The OpenSSL Project has issued advisories warning against vulnerabilities in SSLv3 which could be exploited through a protocol downgrade attack to obtain clear text data. This vulnerability has been dubbed the "POODLE" issue. [1] IMPACT The vulnerability has been assigned CVE-2014-3566, but limited details have been released regarding attack vectors and impacts. The vulnerability is explained as follows: "SSL 3.0 [RFC6101] is an obsolete and insecure protocol. While for most practical purposes it has been replaced by its successors TLS 1.0 [RFC2246], TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], many TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. The protocol handshake provides for authenticated version negotiation, so normally the latest protocol version common to the client and the server will be used. However, even if a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serverÂside interoperability bugs. In this Security Advisory, we discuss how attackers can exploit the downgrade dance and break the cryptographic security of SSL 3.0. [1] MITIGATION It is recommended that, where possible, implementations of SSLv3 be disabled and replaced with TLS v1.2. All TLS Client and Server implementations are to use the TLS_FALLBACK_SCSV mechanism which prevents protocol downgrade attack. [1] REFERENCES [1] This POODLE Bites: Exploiting The SSL 3.0 Fallback https://www.openssl.org/~bodo/ssl-poodle.pdf AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVD4V+hLndAQH1ShLAQLBRA/5AcaGF1+1fGR3x5d5ow+S4i0YcBpFoRTA F+nB3ZWEgMVEsP7HwO7PzdNkIDeRnj1PG4cMbIyBlmv69VHmgWXr1JvUXKAuV5+X /lbD+LXkjaT0HSNA9hieA1fZQCKoBbhCzXrppkVLoRAcHx4EjRQ89hFNU7CqyBjM pwyh4U2wNq1GOWQGvej0TXU8b0cDmmwKdDLSFEHQ6FJQKMO4UcO7xuwGll2gI0aW ORLVnm7lAExB5EG4BK/DhxMOd7aKQWHGIcsLI0oE1yKXZ2s0lKGHtp/A6zWMRfjM ps395CGtY/JXqYxSdKzKOxGsNcqsBvYnrIooWpu+yHDCtRemmvyJeoGquWwVYwsg B6EpLC/L2+Y0vsrk5szrosQ+NBKF4srWfr4QIk98H7wQ9qnPWtG87kCdLi5xBkEI w6oBaH+1SYkUvpLe7UKFGGpEI89nSwjLUH/TrxMpPEdn3Dcb2zCqVjcG2n7CPnkb VFGSBNxB10KfawvyEWkyhCVhOu9pytgq8p18cx1YRenKuc+eNNG+EA0U5k1sQmKq WekG1PrVnu24Khoj2VUubvz7KEcj+O9C4hxIkP5ipz3dntxLuSbbxXtm7BaQTZuc TSZ5mZlVnhk4kjczLecInMPnLvW1wFs8zvPNoPvQewuVEady2tIvvglgAwnqVWLm mGD28I7Zhw4= =+jPq -----END PGP SIGNATURE-----