In the last month, two of the largest vulnerabilities since Heartbleed have been exposed, leaving networks open to attacks and organizations scrambling to patch their systems. Earlier this week Google revealed the POODLE vulnerability, reigniting the worry of a system breach just as organizations were beginning to feel confident in their network security after applying patches following the discovery of the Shellshock vulnerability. So what are these vulnerabilities and how do they compare?
Shellshock is a vulnerability in the BASH program that is present on almost every Unix-based computer and device in the world (Linux, Mac OS X, Android). Hackers could use Shellshock to take control of a device or even run programs covertly in the background.
POODLE is a vulnerability in the design of the encryption standard Secure Socket Layer (SSL) version 3.0 that makes the 15-year-old protocol nearly impossible to use safely. Used by both websites and web browsers, this vulnerability allows encrypted information to be exposed by an attacker with network access.
How does POODLE compare to Heartbleed and Shellshock?
Heartbleed and Shellshock attackers only need public Internet access to a vulnerable environment in order to exploit a system. Simply sending an HTTP request is sufficient.
Shellshock allows complete compromise of a server environment, while Heartbleed and POODLE can expose sensitive data. With Heartbleed, this data relates both to client and server (e.g., private keys). POODLE mostly exposes client data, such as a credit card number entered into an online shopping purchase form.
In exploitability terms, POODLE is more difficult to take advantage of than Heartbleed and Shellshock. This is because an attacker needs some level of network access to the client or server environment to carry out a man-in-the-middle attack. This attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe they are communicating directly with one another over a private connection when, in fact, the attacker controls the entire conversation.
POODLE poses the biggest mitigation challenge of the three. While Heartbleed and Shellshock require a simple system fix, there is no POODLE patch. Mitigating it requires completely removing SSL v3. The impact of doing so is relatively minor for people using browsers. However, it is huge for API implementations, scripted clients, and all sorts of .Net and Java libraries relying on SSL v3.
Incapsula network data reveals that roughly 2% of all SSL traffic uses v3. So while difficult to fix, it seems to affect only a small amount of traffic over the public Internet.
Incapsula’s cloud-based Application Delivery service enables businesses to simplify their IT operations and reduce costs by consolidating multiple appliances and services into a single cloud solution. Enterprises get best-of-breed security, load balancing, failover and a global CDN, without having to deploy, manage and integrate separate products.