Well, it’s kind of a silly vulnerability to be quite frank. It’s based on a very outdated and obsolete protocol with many superior replacements already in production and it’s a man-in-the-middle attack that requires a significant amount of technical expertise and a serious security breach providing access to the innards of enterprise networks in order to work against a real-world organization, so it’s no Shellshock or Heartbleed. Nonetheless, the recent frenzied media interest in riling up the public over security issues to which marketing brand-style names can be attached generates a lot of attention on these issues. We should be diligent and remedy every vulnerability we spot, and especially the ones making the rounds in popular public discussion.
Basically, the server-side risk is that the server accepts SSLv3 connections. Since the protocol itself is broken (and obsolete…and thoroughly replaced by superior alternatives…), we should just prevent our systems from accepting SSLv3 connections. The best way to diagnose your system is to simply attempt to establish an SSLv3 connection with it. You need only know the port over which the system is listening for secure connections and you may then attempt the following command (from a Linux system with the openssl package):
openssl s_client -ssl3 -connect “server:port”
You’ll get a bunch of interesting output. The easiest way to tell you’ve successfully established the connection is to note the inclusion of a certificate in the output (a lot of characters between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–) or to examine the bottom of the output which looks like:
SSL-Session: Protocol : SSLv3 Cipher : ECDHE-RSA-DES-CBC3-SHA Session-ID: 6454AD67231FB102F2EA95FD97938B3A4AF80B1C42625C3DA5E3517A1FC12C9F Session-ID-ctx: Master-Key: 615650DCF72E1111802693B2EEAE23EA45FB0C12B37FE8503C0C271626B154CDEF75C86780B01C4BC2D480442E6E8E87 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1413922486 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate)
If your attempt were unsuccessful, you’d expect output like the following:
SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1413922582 Timeout : 7200 (sec) Verify return code: 0 (ok)
So, if you run into the former, be aware that your server is accepting connection attempts over an insecure, obsolete protocol and seek out the appropriate configuration file (depending on the service being offered) and remedy the situation. if you have a list of servers in your environment and the ports on which they host services, you can write up a simple for loop to iterate through them, alerting you to any whose output fails to include the “BEGIN CERTIFICATE” line (for example) or a Session-ID with a non-blank value (for another example) to give you a list of those systems to investigate further.