There’s a new SSL/TLS problem that was recently announced, and it’s likely to affect some of the most popular web sites in the world. The scale of this vulnerability is owning largely to the popularity of F5 load balancers and the fact that these devices are capable of being exploited. There are other devices known to be affected, and it’s possible that the same flaw is present in some SSL/TLS stacks. We will learn more in the following days.
If you want to stop reading here, take these steps: 1) Check your web site using the SSL Labs test ; 2) If vulnerable, apply the patch provided by your vendor. As problems go, this one should be easy to fix.
Featured Download: Social media access at work. Do your employees know the rules?
The recent announcement is actually about the POODLE attack, which was disclosed two months ago back in October. It has since been repurposed to attack TLS. If you recall, SSL 3 doesn’t require its padding to be in any particular format (except for the last byte, the length), opening itself to attacks by active network attackers. However, even though TLS is very strict about how its padding is formatted, it turns out that some TLS implementations omit checks of the padding structure after decryption. Such implementations are vulnerable to the POODLE attack even with TLS.
The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute. There is no longer a need to downgrade modern clients down to SSL 3 first. TLS 1.2 will do just fine. The main target is browsers because the attacker must inject malicious JavaScript to initiate the attack. A successful exploit will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical.
According to our most recent SSL Pulse scan (which hasn’t been published yet), about 10% of all servers are vulnerable to the POODLE attack against TLS.
By Ivan Ristic, Director of Engineering, Qualys
About Qualys, Inc.
The Qualys Cloud Platform and integrated suite of solutions helps businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.
Used by more than 6,700 customers in over 100 countries, including a majority of the Forbes Global 100, the Qualys Cloud Platform performs more than 1 billion IP scans/audits a year resulting in over 400 billion security events.Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including BT, Dell SecureWorks, Fujitsu, IBM, NTT, Symantec, Verizon, and Wipro. The company is also a founding member of the Council on CyberSecurity and the Cloud Security Alliance (CSA).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.