Poodle Vulnerability - Confusion

[Big Boss]

Recently I carried on N/W Scan on an IP range using Nessus. Of all the vulnerabilities that Nessus found, there was "SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)" also.

This was found on an IP which I later found to be an Access Manager.

However, the company(maker of the Access Manager) have released an advisory saying that they are not vulnerable to POODLE.

To confirm the POODLE vulnerability found by Nessus, I tried using NMAP POODLE script.

Unfortunately it didn't gave any result. 

Debug mode for NMAP gives the following output for NMAP script:

Initiating NSE at 23:48

NSE: rpc-grind: isRPC didn't receive response.

NSE: Target port {port} is not a RPC port.

NSE: Finished rpc-grind against {IP}:{PORT}.

NSE: Finished skypev2-version against {IP}:{PORT}.

Completed NSE at 23:49, 30.02s elapsed

Next I tried SSLScan. It gave the below result:

Accepted  SSLv3  128 bits  ADH-AES128-SHA

Accepted  SSLv3  168 bits  ADH-DES-CBC3-SHA

Accepted  SSLv3   56 bits  ADH-DES-CBC-SHA

Accepted  SSLv3  128 bits  ADH-RC4-MD5

Accepted  TLSv1  128 bits  ADH-AES128-SHA

Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA

Accepted  TLSv1   56 bits  ADH-DES-CBC-SHA

Accepted  TLSv1  128 bits  ADH-RC4-MD5

I know that it shows weak cipher also, however coming back to POODLE issue, I noticed that it shows SSLv3 along with CBC mode. CVE-2014-3566 mentions "uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue"

Also the remediation mentioned on Google blog (http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html) says "Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue"

So from the above, I take it that if SSLv3 along with CBC cipher suite is present then it would be vulnerable to POODLE. However as pointed out earlier, the advisory published mentions that it is not vulnerable to POODLE and also NMAP POODLE script doesn't work on it. I can't use other online sites for checking it as it is internal IP.

So just wanted to understand if it is POODLE issue or not? 

My understanding that SSLv3 along with CBC cipher means vulnerable to POODLE, Is that correct or not?

Is there any other tool which can help me with identifying/validating the POODLE issue?

[Optional] Also as we are on topic of POODLE, can someone also explain regarding TLS POODLE. How to scan and validate it? What should be the recommendation to fix it?

[Anant Shrivastava]

Refer last command on this table  for manual verification if poodle applies or not.

http://www.exploresecurity.com/wp-content/uploads/custom/SSL_manual_cheatsheet.html

to read more about what is poodle and how sslv3 + CBC may not be vulnerable to poodle read 

http://www.exploresecurity.com/thoughts-on-testing-for-poodle/

http://www.exploresecurity.com/poodle-and-the-tls_fallback_scsv-remedy/

Anant Shrivastava 
Web : http://anantshri.info

--
_______________________________________________________________________________
Register for HackIM Powered by EMC, win Samsung gear,Arduino,nullcon pass,2 nights stay!
Details: http://ctf.nullcon.net nullcon - the neXt security thing!
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Big Boss]

I forgot to mention I have used OpenSSL also. It it gave errors:

 

1)

 openssl s_client -connect {IP}:{PORT}

Loading 'screen' into random state - done

CONNECTED(0000009C)

5312:error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter:.\ssl\s23_clnt.c:770:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 307 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

2) 

openssl s_client -ssl3 -connect {IP}:{PORT}

Loading 'screen' into random state - done

CONNECTED(0000009C)

4676:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:.\ssl\s3_pkt.c:1293:SSL alert number 47

4676:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:617:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 0 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : SSLv3

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1424681070

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

---

3)

openssl s_client -tls1 -connect {IP}:{PORT}

Loading 'screen' into random state - done

CONNECTED(0000009C)

5808:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:347:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 7 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1424681215

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

---

4) I tried the last command from that page and here is what I got:

openssl s_client -ssl3 -fallback_scsv -connect {IP}:{PORT}

Loading 'screen' into random state - done

CONNECTED(0000009C)

5656:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:.\ssl\s3_pkt.c:1293:SSL alert number 47

5656:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:617:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 7 bytes and written 0 bytes

[Big Boss]

Also This is what Nessus Output mentions:

 Nessus determined that the remote server supports SSLv3 with at least one CBC cipher suite, indicating that this server is vulnerable.

It appears that TLSv1 or newer is supported on the server. However, the Fallback SCSV mechanism is not supported, allowing connections to be "rolled back" to SSLv3.