Protect Linux systems against SSLv3 Poodle vulnerability

What is the Poodle vulnerability ?

The “Poodle” vulnerability is basicly an attack on the SSL 3.0 protocol. It is discovered in October 2014. The flaw is in the protocol itself (not implementation), which makes the issue applicable for all products using SSL 3.0. TLS 1.0 and later are considered safe against the attack.

How does the attack work?

While we won’t go into too much depth of encryption and ciphers, we will share some basics. When SSL 3.0 is used in CBC mode, it uses a block cipher. Small blocks of data are being evaluated for further processing, opposed to encryption on bit level.

Padding

During the decryption cycle, the last byte of each block is inspected. It will expect a value between 0 and 7, telling how much padding space was added. Padding is simply a filler. With the attack these reference bytes are removed, which makes it unclear how much padding was added. This results in valuable data being ignored. This could lead to unexpected behavior and forms the basis of putting in other code to abuse a weakness.

How to test if I’m vulnerable?

Most systems have OpenSSL installed. Although this package got a bad attention lately, it is still fine to test for this vulnerability.

echo "GET /" | openssl s_client -ssl3 -connect localhost:443 2> /dev/null | grep "no peer certificate available" > /dev/null || echo "Vulnerable"

This will send a normal GET request to the HTTPS server (localhost). It expects to get a “no peer certificate available”. If not, then that means the connection is accepted (which is bad) and displays the message.

This snippet can be used to test if your systems are vulnerable. Make sure the target is alive and running a webserver on port 443, or you get a “Vulnerable” message as well.

How do I solve Poodle on Apache?

First we have to search for all virtual hosts which have a SSL protocol defined. Each line that does not contain “-SSLv3” is vulnerable to Poodle.

# Search for all lines containing a SSL protocol definition
 grep -i -r "SSLProtocol" /etc/apache

Replace these lines with:

SSLProtocol all -SSLv2 -SSLv3

This tells Apache to use all protocols, except the weak SSL 2.0 and SSL 3.0 protocols. Do not forget to actually restart Apache on the system.

How do I solve Poodle on Nginx?

# Search for all lines containing a SSL protocol definition
grep -r ssl_protocol /etc/nginx

Change the found references into:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Additional references

OpenSSL: PDF (more technical details)

 

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *