Analysis of POODLE Vulnerability and Remediation Techniques

Verified

Added on  2019/09/19

|3
|1049
|439
Report
AI Summary
This report provides a detailed overview of the POODLE vulnerability (CVE-2014-3566), a critical flaw in the SSLv3 protocol. The executive summary outlines that POODLE allows attackers to recover plaintext from encrypted SSL 3 connections through crafted HTTPS requests, potentially leading to data breaches. The technical description elaborates on the vulnerability's nature, attack vectors involving man-in-the-middle techniques, and exploitation scenarios. The report emphasizes mitigation strategies, including disabling SSLv3, implementing TLS, and using security protocols to protect against attacks. Remediation steps for both Windows and Linux-based servers are provided, including registry modifications and configuration adjustments for web servers like Apache and Nginx. The report concludes by highlighting the importance of strong security measures to safeguard against this vulnerability. This report is available on Desklib, a platform providing past papers and solved assignments for students to enhance their understanding of cybersecurity.
Document Page
Executive Summary
TLS or Transport Layer Security as well as its predecessor known as SSL or Secure Sockets
Layer are secure protocols that are designed for providing encryption over wireless networks.
HTTPs is the default standard network protocol of HTTP that is used in combination with a
TLS or SSL channel. Now, CVE-2014-3566 or more commonly known as the POODLE is a
weakness in version 3 of the SSL protocol. This vulnerability allows an attacker to recover
small bits of information in plaintext, although from an encrypted SSL 3 connection by
issuing various crafted HTTPS requests. The attacker can issues multiple HTTPS requests
and get plaintext byte and therefore allows him to gues a particular byte. In order to mitigate
this vulnerability, lots of companies have jumped over the TLS protocol.
Technical Description
Vulnerability Description
A vulnerability discovered in the third version of Secure Socket Layer allows for attacker to
guess the plaintext in secure encrypted connections, effectively defeating the sole purpose of
SSL. The SSL security SSL and TLS are communication protocol that protect the integrity
and confidential of communications by encrypting the messages end to end. However, the
vulnerability here kon as POODLE or Padding Oracle on Downgraded Legacy Encryption
have been discovered. Malicious agents are likely going to make this vulnerability into a full-
fledged attack. This vulnerability can be executed via the man-in-the-middle type of attacks
where an attacker would force the downgrade of an encryption protocol to the version 3 of
SSL and thereafter targeting the system which is decrypting the data. In the process, the
attacker would also be observing the exchange and also applying for a paddle based attack in
order to recover the plain type text [1].
Attack Vector
The main attack vector here is in the form of a man-in-middle type of attack. In this case, the
attacker assumes the role of the middle man and makes use of multiple types of man-in-the
middle techniques for the attack. The handshake here begins when the client’s device sends a
hello message to the server to which it responds with another help message. Once both side
has completed the handshake, the encrypted data would begin transferring. This is exactly
when the page starts to be displayed on the screen. The encrypted data being exchanged
between the client and server is the main data that is crucial for the attack to happen. The
attacker performs a man in the middle attack in order to send a request to the server and
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
thereafter performs a simple brute force based attack that reveals the encrypted data being
exchanged in plaintext to the attacker [2].
Mitigation
a) Disabling SSLv3 protects completely against this attack, however, it is not advisable
as legacy clients would be left entirely. Adding a snort rule can help the business
detect any kind of hello messages that is being sent using the SSL version 3.
b) On the other hand, clients using TLS who makes use of a downgrade to improve
interoperability need to include the value 0x56, 0x00 (TLS_FALLBACK_SCSV) in
ClientHello.cipher_suites in all of the fall back handshakes. This helps the business in
rejecting any downgrade attack.
c) Also, in TLS Servers whenever there is an incoming connection from a lower
protocol, it would need to reject that in order to find a higher protocol. If the server
supports a higher protocol, then it should reject the same connection by giving a fatal
alert.
d) Limiting network access to only management interface of any given applicance with a
strong protection mechanism such as firewall.
e) Making use of a stronger password.
f) Issuing accounts to only administrators whom the business trusts.
g) Restricting physical access to appliances to only those administrators whom they trust
explicitly [3].
Exploitation Scenario
a) Let’s say a connection has been established between a browser and a server and
handshake has been done.
b) An attacker would begin by interrupting a secure connection between a browser and
the server.
c) Once the connection has been interrupted, the browser would try to reconnect to the
server using a downgraded protocol i.e., a lower protocol than TLS 1.0
d) Once the downgrade to SSL3 has been successful, the attacker begins by exploiting
the vulnerabilities found in the SSL3 [4].
e) The attacker begins decrypting the session and extracting data in plaintext.
Remediation
In windows server, one can disable SSL3 to protect themselves
Document Page
a) SSL 3 can be disabled by registry by navigating to the following link:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SecurityProviders\Schannel\Protocols\
b) In the above registry location, one would need to add a new value and then disable the
SSL3 protocol.
On Linux based servers, one can disable SSl3 by doing the following steps:
a) On Ubuntu servers one can add /etc/nginx/nginx.conf to the inside of the http block,
or else to each of the server block in the directory /etc/nginx/sites-enabled directory.
b) On CentOS, one can disable the SSL configuration by navigating to the SSL file
located /etc/httpd/conf.d/ssl.conf
c) On Apache Web Server, one can disable SSLv3 by adjusting the SSLProtocol
directive that has been provided by mod_ssl component [5].
References
[1]SECURITY BULLETIN POODLE (CVE-2014-3566). 2014.
[2]A. Prodromou, "TLS/SSL Explained - Examples of a TLS Vulnerability and Attack, Final
Part - Acunetix", Acunetix, 2018. [Online]. Available:
https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/. [Accessed:
24- Apr- 2018].
[3]VPN SECURITY. 2008.
[4]"POODLE - The man-in-the-middle attack on SSLv3", Alertlogic.com, 2018. [Online].
Available: https://www.alertlogic.com/blog/poodle-the-man-in-the-middle-attack-on-
sslv3/. [Accessed: 24- Apr- 2018].
[5]"How To Protect your Server Against the POODLE SSLv3 Vulnerability |
DigitalOcean", Digitalocean.com, 2018. [Online]. Available:
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-
the-poodle-sslv3-vulnerability. [Accessed: 24- Apr- 2018].
chevron_up_icon
1 out of 3
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]