In September, OpenSSL.org announced another SSL exploit. Charmingly dubbed POODLE (after the acronym Padding Oracle On Downgraded Legacy Encryption), the attack is designed to take advantage of a vulnerability in the SSL V 3.0 protocol using the CBC mode encryption. So it’s slightly less cuddly than it sounds.
Though a few other vulnerabilities were also disclosed at the same time, POODLE seems to have gained most of the newsprint and garnered a majority of the attention. The attack is designed to exploit the vulnerability found in the implementation of the CBC mode in SSL V 3.0 where, in the padding, bytes are not checked against any value nor covered by the message digest (MAC). The attack itself follows the man-in-the-middle format, involving a client downgrade dance, along with the attacker having the ability to control/modify the traffic from the client to a server.
Free eBook: Modern Retail Security Risk – Get your copy now.
By carefully crafting and sending a huge number of requests to a server, an attacker can extract various parts of a HTTP communication. This could be the Cookie key-values or Authentication headers. After extracting the intended parts, the attacker can later infiltrate and cause data leakage. Although it’s fairly complicated to carry out and involves some intricacy in execution, it’s not overly difficult considering the computing resources now available to hackers.
The engineering team at Netskope continuously monitors thousands of cloud apps, and our preliminary analysis showed that as of 15th October, a total of 3,562 apps were still vulnerable due to their current support for SSL V 3.0. By 21st October, this number had fallen to 1,632, and at the time of writing, the figure has shrunk again to 1,205. Our advice to vendors has been that they should turn-off the support for SSL V 3.0 and monitor for anomalous behaviours on any other network protection devices (e.g. IPS). Examples could include using SSL V 3.0 flows with CBC mode and generating an extraordinary number of connection failures or seeing a huge amount of web server error messages in a very short space of time.
Although there are now far fewer cloud apps which are vulnerable to POODLE, that doesn’t mean that companies should assume they are safe. Normal protocol in this scenario would be to speak to cloud app vendors to check that they are no longer vulnerable to POODLE. However the nature of cloud app use within organisations today makes this task very difficult.
The latest Netskope Cloud Report found that there are now 579 cloud apps on average in use within the enterprise. Just the thought of contacting all of these providers to make the necessary checks is enough to make the IT team’s heads spin. But when you consider that most organisations don’t have any visibility into the unsanctioned cloud apps being used by their employees, well then the task becomes utterly impossible.
Some firms get around this problem by using cloud app security solutions, what Gartner calls “cloud access security brokers” (CASBs). The outlook is much better for these companies, although they must check that their chosen solution is configured never to fall back to SSL 3.0 protocol. This ensures that traffic going through the solution is secure and not susceptible to the POODLE attack.
Heartbleed, Shellshock, POODLE. We don’t know what’s coming next, but after the emergence of three major vulnerability exploits this year, we can be certain about one thing: there will be more, and the next one could be a Rottweiler.
By Eduard Meelhuysen, VP EMEA, Netskope
About Netskope
Netskope™ is the leader in safe cloud enablement. Only the Netskope Active PlatformTM provides discovery, deep visibility, and granular control of sanctioned and unsanctioned cloud apps. With Netskope, IT can direct usage, protect sensitive data, and ensure compliance in real-time, on any device, and with the broadest range of deployment options in the market. With Netskope, businesses can move fast, with confidence.
Netskope is headquartered in Los Altos, California. Visit us at www.netskope.com and follow us on Twitter @Netskope.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.