Security Update: Poodle SSLv3 Vulnerability

Recently Google researchers identified a security flaw in Version 3 of the SSL protocol. The attack has been named POODLE (“Padding Oracle On Downgraded Legacy Encryption”) for easy reference.

This impacts web servers which are still configured to respond on the SSL 3 protocol.

Vulnerability information

The “POODLE” vulnerability was identified due to an exploit found in the way SSLv3 protocol handles certain requests.

This vulnerability can be exploited by attackers who have the ability to modify network transmissions between the browser and the target server. This could lead to an attacker obtaining information that would normally be encrypted over SSL.

For this exploit to be utilised an attacker would need to have the ability to force a browser to make an SSL request, and an ability to modify network traffic between the browser and the target server.

This affects both Linux and Windows based servers if you are running a web server, whether that is,

Apache
Litespeed
Nginx
IIS

To see if your website (server) is vulnerable simply head over to the following URL, https://www.tinfoilsecurity.com/poodle, and enter the SSL address (can be a domain name or IP address) of your server.

The interesting fact here is that the majority of web based applications and services do not use SSL v3 anymore, other protocols such as TLS are now used. So in most cases SSL v3 is enabled, but not required.

You can read more here on Google blog post about the exploit.

What have we done?

Upon first being alerted to this vulnerability we patched all core and non-core servers, including our Shared / Reseller servers. The majority of our apache based servers were already configured to not use SSL v3.

We checked our Managed VPS product and confirmed they were not vulnerable, so no further action was taken for those services.

We worked with some software vendors whom were using SSL v3 (surprisingly!) to ensure they were developing a patch to remove this support. We have since patched the software that was affected.

We additionally prepared Knowledge Base articles for our VPS and Dedicated Server customers whom want to patch their own servers.

What should you do?

If you are a customer on our Web Hosting or Reseller Hosting products, you can disregard this notice as we have already patched your services.

If you are on a self-managed VPS or dedicated server service we recommend you take action and make the necessary changes.

We’ve prepared a Knowledge Base article for you to follow: https://help.crucial.com.au/hc/en-gb/articles/203309684

If you are on a VPS or dedicated server service and have the “Full Management” support option (or are a Control Panel VPS customer) please open a support ticket and we will check / patch as required.

If you are on our new Managed VPS product, we have already confirmed you are not vulnerable to this and no action is required.

ronsman

Congrats. Well-handled.
Travis Lochert

If like me you’ve had many problems with people and Googlbot accessing your https pages, check out this thread.

https://www.google.com.au/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=apache%20googlebot%20still%20using%20sslv3

The Google blog post about Poodle says there will be ‘compatibility issues’, with disabling SSLv3 ciphers but I had no idea that all these clients would be blocked from my website:

Android 2.3.7 No SNI 2 TLS 1.0
Android 4.0.4 TLS 1.0
Android 4.1.1 TLS 1.0
Android 4.2.2 TLS 1.0
Android 4.3 TLS 1.0
BingBot Dec 2013 No SNI 2 TLS 1.0
BingPreview Jun 2014 TLS 1.0
Firefox 24.2.0 ESR / Win 7 TLS 1.0
Googlebot Jun 2014 TLS 1.0
IE 7 / Vista TLS 1.0
IE 8 / XP No FS 1 No SNI 2 TLS 1.0
IE 8-10 / Win 7 R TLS 1.0
IE Mobile 10 / Win Phone 8.0 TLS 1.0
Java 6u45 No SNI 2 TLS 1.0
Java 7u25 TLS 1.0
OpenSSL 0.9.8y TLS 1.0
Safari 5.1.9 / OS X 10.6.8 TLS 1.0
Safari 6.0.4 / OS X 10.8.4 R TLS 1.0