ESA-28: The POODLE Attack
2 views
Skip to first unread message
Eucalyptus Security Team
Oct 15, 2014, 7:33:35 PM10/15/14
to security...@eucalyptus.com
ESA-28: The POODLE Attack
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-28
Issue Date: 2014-10-15
Last Updated: 2014-10-15
Severity Level: Important
Affected Versions: Eucalyptus Management Console, eucalyptus-load-balancer-image v1.0.5-1.1.2
CVE Number: CVE-2014-3566
====================================================================
OVERVIEW
------------
The Padding Oracle On Downgraded Legacy Encryption (POODLE) attack affects SSL 3.0 and allows for a man-in-the-middle attack against SSL/TLS connections. This vulnerability affects Eucalyptus Management Console (EMC) when HTTPS is used. It also can affect load balancers created from eucalyptus-load-balancer-image v1.0.5-1.1.2 if SSL or HTTPS protocols are used. We recommend disabling SSL 3.0 on the console to address this issue. We’re working on creating an updated eucalyptus-load-balancer-image that will have SSL 3.0 explicitly disabled.
DESCRIPTION
-------------
The POODLE attack has been announced against SSL 3.0:
https://www.openssl.org/~bodo/ssl-poodle.pdf
This vulnerability allows for a man-in-the-middle attack against SSL/TLS connections. If an application repeatedly sends the same data over an SSL 3.0 connection, a selected byte of a cipher text can be decrypted by an attacker in as few as 256 tries. This vulnerability can be exploited if both a client and a server support SSL 3.0. The attack can allow to, for example, steal secure cookies in web applications.
As of Eucalyptus Management Console 4.0.0, nginx is required to enable secure communication with the console:
https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#shared/console_config_ssl_certs.html
By default, SSL 3.0 is enabled on nginx making it potentially vulnerable to the POODLE attack.
This vulnerability also affects HTTPS/SSL load balancers created from eucalyptus-load-balancer-image v1.0.5-1.1.2. This specifically affects any load balancers that work with applications that repeatedly send (or can be forced to repeatedly send) sensitive data over SSL.
SOLUTION
-------------
To disable SSL 3.0 on nginx, add the following line to the SSL configuration section in /etc/nginx/nginx.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
WORKAROUND
-------------
Disabling SSL 3.0 support on the client (such as in the browser) is a sufficient measure to protect against the POODLE attack.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-28
Issue Date: 2014-10-15
Last Updated: 2014-10-15
Severity Level: Important
Affected Versions: Eucalyptus Management Console, eucalyptus-load-balancer-image v1.0.5-1.1.2
CVE Number: CVE-2014-3566
====================================================================
OVERVIEW
------------
The Padding Oracle On Downgraded Legacy Encryption (POODLE) attack affects SSL 3.0 and allows for a man-in-the-middle attack against SSL/TLS connections. This vulnerability affects Eucalyptus Management Console (EMC) when HTTPS is used. It also can affect load balancers created from eucalyptus-load-balancer-image v1.0.5-1.1.2 if SSL or HTTPS protocols are used. We recommend disabling SSL 3.0 on the console to address this issue. We’re working on creating an updated eucalyptus-load-balancer-image that will have SSL 3.0 explicitly disabled.
DESCRIPTION
-------------
The POODLE attack has been announced against SSL 3.0:
https://www.openssl.org/~bodo/ssl-poodle.pdf
This vulnerability allows for a man-in-the-middle attack against SSL/TLS connections. If an application repeatedly sends the same data over an SSL 3.0 connection, a selected byte of a cipher text can be decrypted by an attacker in as few as 256 tries. This vulnerability can be exploited if both a client and a server support SSL 3.0. The attack can allow to, for example, steal secure cookies in web applications.
As of Eucalyptus Management Console 4.0.0, nginx is required to enable secure communication with the console:
https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#shared/console_config_ssl_certs.html
By default, SSL 3.0 is enabled on nginx making it potentially vulnerable to the POODLE attack.
This vulnerability also affects HTTPS/SSL load balancers created from eucalyptus-load-balancer-image v1.0.5-1.1.2. This specifically affects any load balancers that work with applications that repeatedly send (or can be forced to repeatedly send) sensitive data over SSL.
SOLUTION
-------------
To disable SSL 3.0 on nginx, add the following line to the SSL configuration section in /etc/nginx/nginx.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
WORKAROUND
-------------
Disabling SSL 3.0 support on the client (such as in the browser) is a sufficient measure to protect against the POODLE attack.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
Reply all
Reply to author
Forward
0 new messages