Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL POODLE attacks on SSLv3 vulnerability

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Oct 15, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Google Online Security blog just released details of a POODLE SSLv3 vulnerability (Padding Oracle On Downgraded Legacy Encryption) CVE-2014-3566 with the recommendation of implementing TLS_FALLBACK_SCSV in OpenSSL or disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0. Currently, OpenSSL 1.0.1j has been updated with TLS_FALLBACK_SCSV support and Redhat have updates for OpenSSL with TLS_FALLBACK_SCSV support.

    Updates


    POODLE SSLv3 Online Scanner Tools


    POODLE SSLv3 News Articles


    POODLE SSLv3 attack forum discussions


    POODLE SSLv3 info


    OpenSSL patch discussions/info


    • 'Patch to mitigate CVE-2014-3566 ("POODLE")' thread - MARC
    Seems patch to OpenSSL has been committed to master at Commits · openssl/openssl · GitHub

    Web Browser Specific POODLE SSLv3


    Web server specific POODLE SSLv3


    Microsoft Windows SSLv3


    WHM/Cpanel Disabling SSLv3


    Debian & Ubuntu POODLE SSLv3



     
    Last edited: Nov 1, 2014
  2. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If disabling SSLv3 completely make sure to check Google Analytics and other stats to see how much impact it has on visitors i.e. Internet Explorer 6 visitors and Java6 clients.

    According to Mozilla, the oldest (intermediate) supporting web browsers for non-SSLv3 based TLSv1, TLSv1.1 and TLSv1.2 are Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, and Java 7.
    Code:
    Modern    Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7, Android 4.4, Java 8
    Intermediate    Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
    Old    Windows XP IE6, Java 6
    For example for this forum, only 1 out 31,265 sessions is WinXP IE6 affected = 0.0032%. But my stats are skewed as I had SSLv3 disabled for a while now, so GA wouldn't have recorded SSL/https visits by such older browsers as the pages may not have loaded ? GA stats would only be accurate for https sites still with SSLv3 support enabled.

    ga_xp_browserstats_00.png

    Example of an older web site which would be more affected with disabling SSLv3 as has quite a number of IE <7 users at ~9.8%

    ga_xp_browserstats2_00.png
     
    Last edited: Oct 15, 2014
  3. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For Centmin Mod Nginx users who are using static compiled OpenSSL version, I am playing with the above posted OpenSSL 1.0.1 branch patches (also have to test OpenSSL 1.0.2 as I am using chacha20_poly1305 cipher added patch version too on this forum) :)

    Code:
    patching finished
    patched compressed tarball at /usr/local/src/poodle
    total 4.6M
    drwxr-xr-x  3 root root 4.0K Oct 15 04:42 .
    drwxr-xr-x  4 root root 4.0K Oct 15 04:42 ..
    drwxr-xr-x 22 root root 4.0K Oct 15 04:42 openssl-1.0.1i
    -rw-r--r--  1 root root 4.6M Oct 15 04:42 openssl-1.0.1i.tar.gz
    Code:
    creating patched compressed tarball...
    
    patching finished
    patched compressed tarball at /usr/local/src/poodle
    total 5.4M
    drwxr-xr-x  3 root root 4.0K Oct 15 05:07 .
    drwxr-xr-x  4 root root 4.0K Oct 15 05:07 ..
    drwxrwxr-x 22 root root 4.0K Oct 15 05:07 openssl-1.0.2-chacha
    For Centmin Mod .07 stable release users to try the Nginx static OpenSSL 1.0.1i patch, try these steps in SSH

    First patch your OpenSSL 1.0.1i source
    Code:
    cd /svr-setup/openssl-1.0.1i
    wget --no-check-certificate -cnv -O poodle.patch https://github.com/openssl/openssl/commit/6bfe55380abbf7528e04e59f18921bd6c896af1c.patch
    patch -p1 < poodle.patch
    
    Then recompile Nginx web server's statically compiled OpenSSL 1.0.1i by running centmin.sh and selecting menu option 4 and specify your Nginx version you want to compile i.e. 1.7.6.

    If prompted to recompile OpenSSL answer yes. Note prompt only happens for Centmin Mod .07 stable users. Centmin Mod .08+ beta changed it to auto recompile only if OpenSSL version defined in centmin.sh differed from the Nginx running server's statically compiled OpenSSL version. For Centmin Mod .08 beta users they can manually work around this by editing inc/nginx_upgrade.inc line 107 and setting it to recompileopenssl='y' before running centmin.sh menu option 4
    Code:
    Centmin Mod 1.2.3-eva2000.07 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu          
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2, 5.5, 10 Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Re-install ImageMagick PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2,p7zip etc
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Exit
    --------------------------------------------------------
    Enter option [ 1 - 22 ] 4
    --------------------------------------------------------
    
    Let that compile until you return Nginx compiled / installed successfully message and returns to shell menu.

    Code:
    real    0m0.353s
    user    0m0.039s
    sys     0m0.069s
    Starting nginx:                                            [  OK  ]
    *************************************************
    
    Wed Oct 15 13:26:26 UTC 2014
    Success: Nginx was installed properly
    
    *************************************************
    *************************************************
    * nginx updated
    *************************************************
    
    Then hit 22 to exit centmin.sh menu. And check your https SSL sites on Centmin Mod Nginx web stack via online POODLE SSLv3 attack scanner at Free POODLE SSL Security Vulnerability Check | Tinfoil Security. Edit: seems that scanner only detects of SSLv3 is enabled or disabled and not if you're patched for TLS_FALLBACK_SCSV support ?

    Let me know how you fair.

    I haven't be able to test this as all my sites right are using OpenSSL 1.0.2 beta3/4 with chacha20_poly1305 cipher support + Cloudflare RC4 kill patch and I have SSLv3 disabled.
     
    Last edited: Oct 15, 2014
  4. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like OpenSSL 1.0.1j is coming soon, so might not even bother with patching OpenSSL 1.0.1i Commits · openssl/openssl · GitHub ?

    Code:
    OpenSSL CHANGES
    _______________
    
    Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
    
      *) SRTP Memory Leak.
    
         A flaw in the DTLS SRTP extension parsing code allows an attacker, who
         sends a carefully crafted handshake message, to cause OpenSSL to fail
         to free up to 64k of memory causing a memory leak. This could be
         exploited in a Denial Of Service attack. This issue affects OpenSSL
         1.0.1 server implementations for both SSL/TLS and DTLS regardless of
         whether SRTP is used or configured. Implementations of OpenSSL that
         have been compiled with OPENSSL_NO_SRTP defined are not affected.
    
         The fix was developed by the OpenSSL team.
         (CVE-2014-3513)
         [OpenSSL team]
    
      *) Session Ticket Memory Leak.
    
         When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
         integrity of that ticket is first verified. In the event of a session
         ticket integrity check failing, OpenSSL will fail to free memory
         causing a memory leak. By sending a large number of invalid session
         tickets an attacker could exploit this issue in a Denial Of Service
         attack.
         (CVE-2014-3567)
         [Steve Henson]
    
      *) Build option no-ssl3 is incomplete.
    
         When OpenSSL is configured with "no-ssl3" as a build option, servers
         could accept and complete a SSL 3.0 handshake, and clients could be
         configured to send them.
         (CVE-2014-3568)
         [Akamai and the OpenSSL team]
    
      *) Add support for TLS_FALLBACK_SCSV.
         Client applications doing fallback retries should call
         SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
         (CVE-2014-3566)
         [Adam Langley, Bodo Moeller]
    
      *) Add additional DigestInfo checks.
         Reencode DigestInto in DER and check against the original when
         verifying RSA signature: this will reject any improperly encoded
         DigestInfo structures.
    
         Note: this is a precautionary measure and no attacks are currently known.
    
         [Steve Henson]
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah they're pretty quick this time, OpenSSL 1.0.1j has been officially released OpenSSL: The Open Source toolkit for SSL/TLS

    https://www.openssl.org/news/secadv_20141015.txt

    Code:
    OpenSSL Security Advisory [15 Oct 2014]
    =======================================
    
    SRTP Memory Leak (CVE-2014-3513)
    ================================
    
    Severity: High
    
    A flaw in the DTLS SRTP extension parsing code allows an attacker, who
    sends a carefully crafted handshake message, to cause OpenSSL to fail
    to free up to 64k of memory causing a memory leak. This could be
    exploited in a Denial Of Service attack. This issue affects OpenSSL
    1.0.1 server implementations for both SSL/TLS and DTLS regardless of
    whether SRTP is used or configured. Implementations of OpenSSL that
    have been compiled with OPENSSL_NO_SRTP defined are not affected.
    
    OpenSSL 1.0.1 users should upgrade to 1.0.1j.
    
    This issue was reported to OpenSSL on 26th September 2014, based on an original
    issue and patch developed by the LibreSSL project. Further analysis of the issue
    was performed by the OpenSSL team.
    
    The fix was developed by the OpenSSL team.
    
    
    Session Ticket Memory Leak (CVE-2014-3567)
    ==========================================
    
    Severity: Medium
    
    When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
    integrity of that ticket is first verified. In the event of a session
    ticket integrity check failing, OpenSSL will fail to free memory
    causing a memory leak. By sending a large number of invalid session
    tickets an attacker could exploit this issue in a Denial Of Service
    attack.
    
    OpenSSL 1.0.1 users should upgrade to 1.0.1j.
    OpenSSL 1.0.0 users should upgrade to 1.0.0o.
    OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
    
    This issue was reported to OpenSSL on 8th October 2014.
    
    The fix was developed by Stephen Henson of the OpenSSL core team.
    
    
    SSL 3.0 Fallback protection
    ===========================
    
    Severity: Medium
    
    OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
    to block the ability for a MITM attacker to force a protocol
    downgrade.
    
    Some client applications (such as browsers) will reconnect using a
    downgraded protocol to work around interoperability bugs in older
    servers. This could be exploited by an active man-in-the-middle to
    downgrade connections to SSL 3.0 even if both sides of the connection
    support higher protocols. SSL 3.0 contains a number of weaknesses
    including POODLE (CVE-2014-3566).
    
    OpenSSL 1.0.1 users should upgrade to 1.0.1j.
    OpenSSL 1.0.0 users should upgrade to 1.0.0o.
    OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
    
    https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
    https://www.openssl.org/~bodo/ssl-poodle.pdf
    
    Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller.
    
    
    Build option no-ssl3 is incomplete (CVE-2014-3568)
    ==================================================
    
    Severity: Low
    
    When OpenSSL is configured with "no-ssl3" as a build option, servers
    could accept and complete a SSL 3.0 handshake, and clients could be
    configured to send them.
    
    OpenSSL 1.0.1 users should upgrade to 1.0.1j.
    OpenSSL 1.0.0 users should upgrade to 1.0.0o.
    OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
    
    This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014.
    
    The fix was developed by Akamai and the OpenSSL team.
    
    
    References
    ==========
    
    URL for this Security Advisory:
    https://www.openssl.org/news/secadv_20141015.txt
    
    Note: the online version of the advisory may be updated with additional
    details over time.
    
    For details of OpenSSL severity classifications please see:
    https://www.openssl.org/about/secpolicy.html
    
     
  6. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:40 AM
    Mainline
    10.2
    Centos Repo should update in a few hours I hope.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Oct 16, 2014
  8. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:40 AM
    Mainline
    10.2
    I mean core OS.
    :)
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah have a place holder TBA for that on that above link :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    One of the better explanations on POODLE SSLv3 attack by Mozilla The POODLE Attack and the End of SSL 3.0 | Mozilla Security Blog

     
    Last edited: Oct 16, 2014
  11. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:40 AM
    Mainline
    10.2
  12. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:40 AM
    Mainline
    10.2
    Where is the file needs an update?
     
  14. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  15. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what you see if you're site has SSLv3 disabled
    Code:
    echo -n |  openssl s_client -ssl3 -connect community.centminmod.com:443
    CONNECTED(00000003)
    140722582460232:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
    140722582460232:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
    POODLE: SSLv3 vulnerability (CVE-2014-3566) POODLE: SSLv3 vulnerability (CVE-2014-3566) - Red Hat Customer Portal

     
    Last edited: Oct 16, 2014
  16. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:40 AM
    Mainline
    10.2
    Remember ngx_pagespeed lazy load image doesn't work properly without SSL3 ? :)
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Actually seems to be working on this forum with SSLv3 disabled.. browse around and see :D

    seems according to Redhat comments at POODLE: SSLv3 vulnerability (CVE-2014-3566) - Red Hat Customer Portal postfix config needs tweaking too for smtpd_tls_mandatory_protocols setting
    by default postfix seems to have set
    Code:
    postconf -d | grep smtpd_tls_mandatory_protocols
    smtpd_tls_mandatory_protocols = !SSLv2
    from Postfix TLS Support
    Trying this on this forum's postfix

    disable SSLv3
    Code:
    postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3'
    
    checking new custom setting should return
    Code:
    postconf -n | grep smtpd_tls_mandatory_protocols
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    
    restart postfix
    Code:
    service postfix restart
     
    Last edited: Oct 16, 2014
  18. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Redhat Blog article at POODLE – An SSL 3.0 Vulnerability (CVE-2014-3566) | Red Hat Security suggest you read for full article

     
  19. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  20. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ooh What is POODLE and how do I protect myself? - Webroot Community

    SSLv3 by the numbers POODLE Attack and SSLv3 Deployment

    Scary look which is number 1 site without TLS support - a bank !