Crypto, Software, System Administration, Vulnerabilities Leave a comment

Protect Linux systems against SSLv3 Poodle vulnerability

What is the Poodle vulnerability ?

The “Poodle” vulnerability is basicly an attack on the SSL 3.0 protocol. It is discovered in October 2014. The flaw is in the protocol itself (not implementation), which makes the issue applicable for all products using SSL 3.0. TLS 1.0 and later are considered safe against the attack.

How does the attack work?

While we won’t go into too much depth of encryption and ciphers, we will share some basics. When SSL 3.0 is used in CBC mode, it uses a block cipher. Small blocks of data are being evaluated for further processing, opposed to encryption on bit level.

Padding

During the decryption cycle, the last byte of each block is inspected. It will expect a value between 0 and 7, telling how much padding space was added. Padding is simply a filler. With the attack these reference bytes are removed, which makes it unclear how much padding was added. This results in valuable data being ignored. This could lead to unexpected behavior and forms the basis of putting in other code to abuse a weakness.

How to test if I’m vulnerable?

Most systems have OpenSSL installed. Although this package got a bad attention lately, it is still fine to test for this vulnerability.

echo "GET /" | openssl s_client -ssl3 -connect localhost:443 2> /dev/null | grep "no peer certificate available" > /dev/null || echo "Vulnerable"

This will send a normal GET request to the HTTPS server (localhost). It expects to get a “no peer certificate available”. If not, then that means the connection is accepted (which is bad) and displays the message.

This snippet can be used to test if your systems are vulnerable. Make sure the target is alive and running a webserver on port 443, or you get a “Vulnerable” message as well.

How do I solve Poodle on Apache?

First we have to search for all virtual hosts which have a SSL protocol defined. Each line that does not contain “-SSLv3” is vulnerable to Poodle.

# Search for all lines containing a SSL protocol definition
 grep -i -r "SSLProtocol" /etc/apache

Replace these lines with:

SSLProtocol all -SSLv2 -SSLv3

This tells Apache to use all protocols, except the weak SSL 2.0 and SSL 3.0 protocols. Do not forget to actually restart Apache on the system.

How do I solve Poodle on Nginx?

# Search for all lines containing a SSL protocol definition
grep -r ssl_protocol /etc/nginx

Change the found references into:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Additional references

OpenSSL: PDF (more technical details)

 

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package



Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.