Diagnosing POODLE (CVE-2014-3566) Vulnerability

Well, it’s kind of a silly vulnerability to be quite frank.  It’s based on a very outdated and obsolete protocol with many superior replacements already in production and it’s a man-in-the-middle attack that requires a significant amount of technical expertise and a serious security breach providing access to the innards of enterprise networks in order to work against a real-world organization, so it’s no Shellshock or Heartbleed.  Nonetheless, the recent frenzied media interest in riling up the public over security issues to which marketing brand-style names can be attached generates a lot of attention on these issues.  We should be diligent and remedy every vulnerability we spot, and especially the ones making the rounds in popular public discussion.

Basically, the server-side risk is that the server accepts SSLv3 connections.  Since the protocol itself is broken (and obsolete…and thoroughly replaced by superior alternatives…), we should just prevent our systems from accepting SSLv3 connections.  The best way to diagnose your system is to simply attempt to establish an SSLv3 connection with it.  You need only know the port over which the system is listening for secure connections and you may then attempt the following command (from a Linux system with the openssl package):

openssl s_client -ssl3 -connect “server:port”

You’ll get a bunch of interesting output.  The easiest way to tell you’ve successfully established the connection is to note the inclusion of a certificate in the output (a lot of characters between  —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–) or to examine the bottom of the output which looks like:

SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-DES-CBC3-SHA
    Session-ID: 6454AD67231FB102F2EA95FD97938B3A4AF80B1C42625C3DA5E3517A1FC12C9F
    Session-ID-ctx:
    Master-Key: 615650DCF72E1111802693B2EEAE23EA45FB0C12B37FE8503C0C271626B154CDEF75C86780B01C4BC2D480442E6E8E87
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413922486
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)

If your attempt were unsuccessful, you’d expect output like the following:

SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413922582
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

So, if you run into the former, be aware that your server is accepting connection attempts over an insecure, obsolete protocol and seek out the appropriate configuration file (depending on the service being offered) and remedy the situation.  if you have a list of servers in your environment and the ports on which they host services, you can write up a simple for loop to iterate through them, alerting you to any whose output fails to include the “BEGIN CERTIFICATE” line (for example) or a Session-ID with a non-blank value (for another example) to give you a list of those systems to investigate further.

Advertisements
This entry was posted in Information Technology and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s