Protect Linux systems against SSLv3 Poodle vulnerability

What is the Poodle vulnerability ?

The “Poodle” vulnerability is basicly an attack on the SSL 3.0 protocol. It is discovered in October 2014. The flaw is in the protocol itself (not implementation), which makes the issue applicable for all products using SSL 3.0. TLS 1.0 and later are considered safe against the attack.

How does the attack work?

While we won’t go into too much depth of encryption and ciphers, we will share some basics. When SSL 3.0 is used in CBC mode, it uses a block cipher. Small blocks of data are being evaluated for further processing, opposed to encryption on bit level.

Padding

During the decryption cycle, the last byte of each block is inspected. It will expect a value between 0 and 7, telling how much padding space was added. Padding is simply a filler. With the attack these reference bytes are removed, which makes it unclear how much padding was added. This results in valuable data being ignored. This could lead to unexpected behavior and forms the basis of putting in other code to abuse a weakness.

How to test if I’m vulnerable?

Most systems have OpenSSL installed. Although this package got a bad attention lately, it is still fine to test for this vulnerability.

echo "GET /" | openssl s_client -ssl3 -connect localhost:443 2> /dev/null | grep "no peer certificate available" > /dev/null || echo "Vulnerable"

This will send a normal GET request to the HTTPS server (localhost). It expects to get a “no peer certificate available”. If not, then that means the connection is accepted (which is bad) and displays the message.

This snippet can be used to test if your systems are vulnerable. Make sure the target is alive and running a webserver on port 443, or you get a “Vulnerable” message as well.

How do I solve Poodle?

First we have to search for all virtual hosts which have a SSL protocol defined. Each line that does not contain “-SSLv3” is vulnerable to Poodle.

Search for all lines containing a SSL protocol definition.

Apache

grep -i -r "SSLProtocol" /etc/apache

Replace these lines with:

SSLProtocol all -SSLv2 -SSLv3

This tells Apache to use all protocols, except the weak SSL 2.0 and SSL 3.0 protocols. Do not forget to actually restart Apache on the system.

Nginx

Search for all lines containing a SSL protocol definition.

grep -r ssl_protocol /etc/nginx

Change the found references into:

ssl_protocols TLSv1.2 TLSv1.3;

Additional references

OpenSSL: Poodle SSLv3 vulnerability

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is a cheat sheet available:

  • grep
  • openssl

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon