Protect Linux systems against SSLv3 Poodle vulnerability

What is the Poodle vulnerability ?

The “Poodle” vulnerability is basicly an attack on the SSL 3.0 protocol. It is discovered in October 2014. The flaw is in the protocol itself (not implementation), which makes the issue applicable for all products using SSL 3.0. TLS 1.0 and later are considered safe against the attack.

How does the attack work?

While we won’t go into too much depth of encryption and ciphers, we will share some basics. When SSL 3.0 is used in CBC mode, it uses a block cipher. Small blocks of data are being evaluated for further processing, opposed to encryption on bit level.

Padding

During the decryption cycle, the last byte of each block is inspected. It will expect a value between 0 and 7, telling how much padding space was added. Padding is simply a filler. With the attack these reference bytes are removed, which makes it unclear how much padding was added. This results in valuable data being ignored. This could lead to unexpected behavior and forms the basis of putting in other code to abuse a weakness.

How to test if I’m vulnerable?

Most systems have OpenSSL installed. Although this package got a bad attention lately, it is still fine to test for this vulnerability.

echo "GET /" | openssl s_client -ssl3 -connect localhost:443 2> /dev/null | grep "no peer certificate available" > /dev/null || echo "Vulnerable"

This will send a normal GET request to the HTTPS server (localhost). It expects to get a “no peer certificate available”. If not, then that means the connection is accepted (which is bad) and displays the message.

This snippet can be used to test if your systems are vulnerable. Make sure the target is alive and running a webserver on port 443, or you get a “Vulnerable” message as well.

How do I solve Poodle on Apache?

First we have to search for all virtual hosts which have a SSL protocol defined. Each line that does not contain “-SSLv3” is vulnerable to Poodle.

# Search for all lines containing a SSL protocol definition
 grep -i -r "SSLProtocol" /etc/apache

Replace these lines with:

SSLProtocol all -SSLv2 -SSLv3

This tells Apache to use all protocols, except the weak SSL 2.0 and SSL 3.0 protocols. Do not forget to actually restart Apache on the system.

How do I solve Poodle on Nginx?

# Search for all lines containing a SSL protocol definition
grep -r ssl_protocol /etc/nginx

Change the found references into:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Additional references

OpenSSL: PDF (more technical details)

 

Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.


Automate Scanning »

Leave a Reply

Your email address will not be published. Required fields are marked *