Thursday, October 16, 2014

POODLE: SSLv3 vulnerability (CVE-2014-3566) - UPDATED

UPDATE

 

What Is POODLE?


POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. More details are available in the upstream OpenSSL advisory.
POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechansim known as Transport Layer Security (TLS).

Recommendations


To mitigate this vulnerability SSL 3.0 should be disabled in all affected packages. Red Hat is continuously working at this time to provide additional use cases and guides to disable SSL 3.0.
 

Determining Vulnerability


If you are not a subscriber, the following script can be run against the server in question. The command will return 'SSL 3.0 enabled' if vulnerable and 'SSL 3.0 disabled' if not.

#!/bin/bash
ulimit -t 5
ret=$(echo Q | timeout 5 openssl s_client -connect "${1-`hostname`}:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
  if echo "${ret}" | grep -q 'Cipher.*0000'; then
    echo "SSL 3.0 disabled"
  else
    echo "SSL 3.0 enabled"
 fi
else
  echo "SSL disabled or other error"
fi

NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system, port 443.
  
Also you can use
Your servers are vulnerable simply if they support SSLv3. Several options here:
With OpenSSL s_client:
 
 openssl s_client -connect : -ssl3
 
 If the connection succeeds, sslv3 is enabled. If it fails, it is disabled. When it fails you should see something like:
 
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
  
Using nmap:
  
nmap --script ssl-enum-ciphers -p 443 myhostname.tld
 
It should output 'SSLv3: No supported ciphers found'. Adjust for your hostname/port.
 
Using cipherscan. Clone/download the binary and execute it:
 
./cipherscan myhostname.tld
 
It should not list anything with SSLv3 under the 'protocols' column.

 


How to fix

 
Firefox browser
 
Open about:config, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.
Firefox from version 34 onwards will disable SSLv3 by default and thus require no action (source).
However, at the moment of writing, 33 is just released and 34 is set for November 25.

Google Chrome (Linux)
 
Edit the /usr/share/applications/google-chrome.desktop file, e.g.
sudo nano /usr/share/applications/google-chrome.desktop
Edit all lines starting with Exec= to include --ssl-version-min=tls1.
E.g. a line like

Exec=/usr/bin/google-chrome-stable %U
 
becomes
Exec=/usr/bin/google-chrome-stable --ssl-version-min=tls1 %U
 
Then make sure to fully close the browser (Chrome apps may be keeping your browser active in the background!).
Note: You may need to repeat this every google-chrome package update, overwriting this .desktop launcher file.
A Google Chrome or Chromium browser with SSLv3 disabled by default is not yet announced at the time of writing.

Apache HTTPD Server
 
If you're running Apache, just include the following line in your configuration among the other SSL directives:
 
SSLProtocol All -SSLv2 -SSLv3
 
Then check if the new configuration is correct (no typos etc.):
 
apachectl configtest
 
And restart the server, e.g.
 
sudo service apache2 restart
 
More info: Apache documentation
Now test it: If your site is publicly available, test it using Qualys’ SSL Labs tool.
 
Nginx server
 
If you're running Nginx, just include the following line in your configuration among the other SSL directives:
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
And restart the server, e.g.
 
sudo service nginx restart

Reference: Nginx documentation
Now test it: If your site is publicly, available, test it using Qualys' SSL Labs tool.
 
Lighttpd webserver
 
Lighttpd versions >1.4.28 support a configuration option to disable SSLv2 and v3. Lighttpd releases before 1.4.28 allow you to disable SSLv2 ONLY.
Please note that Ubuntu 12.04 LTS and earlier install at best lighttpd v1.4.28 and therefore a simple fix is not available for those distributions.
Therefore this fix should only be used for Ubuntu versions greater than 12.04. If someone knows a fix that's good for 12.04 and earlier, please edit this.
Edit your /etc/lighttpd/lighttpd.conf to add the following lines after the ssl.engine = "enable" directive
 
ssl.use-sslv2          = "disable"
ssl.use-sslv3          = "disable"
 
Then you should restart the lighttpd service with a sudo service lighttpd restart and perform an ssl3 handshake test as described in earlier sections to make sure that the change was implemented successfully.
Taken from http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL.
 
Postfix SMTP
 
For 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), you don't need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway. For 'mandatory SSL' mode being configured already, just add/change the
 
smtpd_tls_mandatory_protocols setting:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
 
and restart Postfix:
 
sudo service postfix restart
 
Sendmail
 
(Unverified edit by anonymous user, I'm not comfortable with Sendmail, please verify.)
These options are configured in the LOCAL_CONFIG section of your sendmail.mc
 
LOCAL_CONFIG
CipherList=HIGH
ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
 
Dovecot
 
In Dovecot v2.1+, add the following to your /etc/dovecot/local.conf (or a new file in /etc/dovecot/conf.d):
 
ssl_protocols = !SSLv2 !SSLv3
 
and restart Dovecot:
 
sudo service dovecot restart
 
For older versions you will have to patch the source code.
 
Courier-imap (imapd-ssl)
 
Courier-imap allows SSLv3 by default on Ubuntu 12.04 and others. You should disable it and use STARTTLS instead to force TLS. Edit your /etc/courier/imapd-ssl configuration file to reflect the following changes
 
IMAPDSSLSTART=NO
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CIPHER_LIST=""

HAProxy Server

SSL is supported in HAProxy >= 1.5.
Edit the /etc/haproxy.cfg file and find your bind line. Append no-sslv3. For example:
bind :443 ssl crt ciphers no-sslv3

Reference: HAProxy Documentation

OpenVPN

Appears to be unaffected (source).
OpenVPN uses TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE.
 
Tomcat
 
When using Tomcat with the JSSE connectors, the SSL protocol to be used can be configured via $TOMCAT_HOME/conf/server.xml.
The following example shows how the sslProtocol in an https connector is configured.
 
Tomcat 5 and 6:
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

Tomcat >= 7
   
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

If the sslEnabledProtocols or sslProtocols attributes are specified, only protocols that are listed and supported by the SSL implementation will be enabled.
If not specified, the JVM default is used. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance e.g.
Oracle Java 6 and Oracle Java 7.
 
Tomcat APR
 
When using Tomcat with the APR/Native connectors, the SSL protocol to be used can be configured in $TOMCAT_HOME/conf/server.xml.
The following example shows how the SSLProtocol in an https connector is configured.
 
               maxThreads="150"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEnabled="true"
               SSLProtocol="TLSv1"
               SSLCertificateFile="${catalina.base}/conf/localhost.crt"
               SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />
 
Configuration parameters are documented here. The default is for the SSLProtocol attribute to be set to ALL, with other acceptable values being SSLv2, SSLv3, TLSv1
and SSLv2+SSLv3. Starting with version 1.1.21 of the Tomcat native library any combination of the three protocols concatenated with a plus sign will be supported.
Note that the protocol SSLv2 is inherently unsafe.
 

2 comments :

  1. When I did the above in courier-imap I wasn't able to use unencrypted connections in my local network. For example it was not possible into the imap server using roundcube. A simpler method, which seems to work, is to use:

    TLS_PROTOCOL="TLS1_2:TLS1_1:TLS1"

    I have tested this and SSLv3 seems to be disabled:

    $ nmap --script ssl-enum-ciphers -p 993 debian

    Starting Nmap 6.00 ( http://nmap.org ) at 2014-10-20 18:11 AEDT
    Nmap scan report for debian (192.168.0.33)
    Host is up (0.000075s latency).
    rDNS record for 192.168.0.33: debian.mydomain.net.au
    PORT STATE SERVICE
    993/tcp open imaps
    | ssl-enum-ciphers:
    | TLSv1.0
    | Ciphers (5)
    | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
    | TLS_RSA_WITH_AES_128_CBC_SHA - strong
    | TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
    | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - unknown strength
    | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - unknown strength
    | Compressors (1)
    | NULL
    |_ Least strength = unknown strength

    Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds

    ReplyDelete
  2. Yes, there are such cases. But there are many ways to protect your personal data, one of them is using virtual data rooms review

    ReplyDelete