Yesterday a trio of Google researchers published the details of a new security vulnerability in SSL 3.0. The new vulnerability, which is called POODLE (short for Padding Oracle On Downgraded Legacy Encryption) allows an attacker to break the cryptographic security of SSL 3.0 when exploited, thus allowing him to use the data passing on a secure channel to his advantage and to craft further attacks.
It is important to point out that SSL 3.0 is 15 years old and even though there are several other and much improved successors, support for it remains widespread. And the fact that the majority of the web servers on the internet still support SSL 3.0 makes this vulnerability very popular and critical.
When you access a website over SSL/TLS, the client (in most cases a browser) and the server have to agree on which version of encryption protocol to use throughout the session. The process starts when the server recommends the client to use the highest encryption protocol version supported. Should the client not support the highest encryption protocol version, the server recommends an earlier version of the protocol. This process, which is called downgrade dance will continue looping until a version of the encryption protocol that both server and client support is established.
The downgrade dance process can be triggered by active attackers or by network glitches. Since attackers know that there is a vulnerability in SSL 3.0 they use this downgrade dance during a man in the middle attack against the victim, who is accessing the web application running on the server.
If the man in the middle attack is successful and an SSL 3.0 connection is established the attacker can exploit the POODLE vulnerability against the captured encrypted packets and retrieve data from them thus allowing the attacker to hijack web sessions.
For more details about the POODLE vulnerability you can refer to the official POODLE SSL vulnerability documentation.
The POODLE vulnerability is critical though not as critical as the Heartbleed vulnerability, the previous SSL vulnerability that sent the security industry into a panic mode. While Heartbleed could be exploited by sending requests directly to the server, to exploit the POODLE vulnerability one must have control over the connection between the victim and the server and launch a man in the middle attack, which is not as such a straightforward process that can be automated.
Therefore the chances of someone widely exploiting the POODLE vulnerability are almost negligible. Still this does not mean that you should not take any action to ensure that your web servers are not vulnerable to the POODLE vulnerability.
The chances that your web servers are vulnerable to the POODLE vulnerability are very high because as explained before support for SSL 3.0 is still very popular. To find out if they are scan your web servers with the latest version of Netsparker Web Application Security Scanner, which includes the check for the POODLE bug.
Apart from the security check for the POODLE vulnerability, the latest version of Netsparker also includes a number of bug fixes. Refer to the Netsparker changelog for more detailed information.
If you are already using Netsparker Web Application Security Scanner, a pop up window with the update details will pop up the next time you run Netsparker. Alternatively you can always click Check for Updates from the Help drop down menu to force manual updates.
If you have problems with the updating process or have product related queries, get in touch with our awesome support team by sending us an email on firstname.lastname@example.org.