Another security vulnerability came to light today, on SSL this time.
What: POODLE attack (Padding Oracle On Downgraded Legacy Encryption) will allow stealing “secure” HTTP cookies (or other bearer tokens such as HTTP Authorization header contents).
Test: If the below command succeeds it means that this vulnerability exists.
| $ curl -v3 -X HEAD “https://yourwebsite.com” |
Details : For more details read the security advisory at https://www.openssl.org/~bodo/ssl-poodle.pdf
Fix: If SSLv3 is already disabled on the server side then nothing needs to be done else disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it. Since we cant control clients this means fixing it on the server side is the guaranteed fix. Also no modern browsers or mobile devices need SSLv3 – not even IE 8 on Windows XP.
References:
https://scottlinux.com/2013/06/18/disable-sslv2-and-sslv3-in-apache/
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
Example:
On an Ubuntu system with openssl 1.0.1f to disable SSLv3 on server side modify the entry “SSLProtocol all” in ssl.conf (under apache’s mods-available directory) to “SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2”
| $ openssl version OpenSSL 1.0.1f 6 Jan 2014 |
| $ grep -nri “SSLProtocol” /etc/apache2/ /etc/apache2/mods-available/ssl.conf:64: SSLProtocol all |
| # modify contents in ssl.conf $ sudo vi /etc/apache2/mods-available/ssl.conf [sudo] password for sandeep: |
| $ grep -nri “SSLProtocol” /etc/apache2/ /etc/apache2/mods-available/ssl.conf:64: SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 |
| $ sudo service apache2 restart |