This year may be remembered as the year of the “named” bugs — first Heartbleed, then Shellshock, and now POODLE — another bug surrounding SSL encryption. Unlike standard CVE designations, a vulnerability with a name tends to invoke fear in the heart of systems… although the actual impact of these varies wildly.
Google researchers released details about POODLE yesterday, with technical details hosted at the OpenSSL website. Although these papers are certainly interesting reads, there are only a few things you need to know to protect both yourself and your network assets from POODLE attacks.
First, it’s important to know that POODLE affects SSL 3.0 by allowing a man-in-the-middle attacker to reveal plaintext data in an otherwise encrypted connection. Although this is clearly a major problem, the attack vector is much more difficult to exploit than, say, Heartbleed (which can be exploited by a remote attacker to leak memory from a system) or Shellshock (which can actually run arbitrary code on a vulnerable system).
Protecting yourself (as a user) from POODLE is easy: all you need to do is remove support for SSL 3.0 from your browser (using ssl-version-min=tls1 in Chrome or setting security.tls.version.min to 1 in Firefox). From the server side, Google is currently recommending enabling TLS_FALLBACK_SCSV on web servers.
Fortunately for IT administrators, POODLE’s severity doesn’t approach the criticality of Heartbleed or Shellshock… although it does provide even more reason to have an adequately up-to-date vulnerability management program. Redspin will continue to track this issue, and ensure that the vulnerability is assessed in all of our security assessment engagements.