2014-10-15 10:24 PM
As many of you are aware, today we all had to become familiar with yet another SSL vulnerability:
SSLv3 vulnerability (CVE-2014-3566) AKA "Poodle" or the 'Padding Oracle On Downgraded Legacy Encryption' attack.
Right now the general advice is to first check to see if you are running the vulnerable SSL version, and if so to disable it. The team over at Red Hat have provided a simple script that will immediately let you know if you have SSLv3 enabled on your Linux-based servers. You can find that script here:
https://access.redhat.com/articles/1232123
The bottom line is that the vulnerability is a flaw in a protocol dating from 1996. It is very unlikely a fix will be provided. A more secure alternative is to employ TLSv1.1 or TLSv1.2 and disable SSLv3 support in any internal clients and servers in your environment. TLSv1.0 is not a safe replacement.
The Security Analytics Content Team is in the process of modifying our LUA TLS parser to identify and flag SSLv3 communications. The parser is still being put through our QA testing scenarios and should be available in Live within the next 12-24 hours. In regards to Poodle, this parser's primary benefit will be to flag SSLv3 sessions to assist your organization with finding vulnerable devices on your network. It does not mitigate the need to disable the protocol.
While not as serious as some of the SSL/TSL vulnerabilities that came before it, it's still presents a target in your environment. If you didn't already disable support for the protocol after the release of the BEAST attack tool in 2011, now is an ideal time to do so.
A collection of methods for disabling SSLv3 on various web servers and clients can be found below.
<DISCLAIMER>
The information contained on the following link has not been validated by RSA, nor is there any implied support for the methods described. It is provided as a courtesy for inquisitive readers wanting to know more about how others are disabling the vulnerable protocol.
</DISCLAIMER>
https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/
This thread will be updated as soon as we have finished internal testing of the TLS parser update and it has been made available on Live.
2014-10-16 12:20 PM
Updated: TLS-LUA parser is live! Update the parser and the feed "alertids_suspicious"
The parser looks at the SSL/TLS version being used for the session, and
registers an alert.id if SSL 3.0. It should show up in meta as:
risk.suspicious: ssl3.0
threat.category: vulnerability
threat.source: netwitness
Happy Hunting!
2014-10-16 12:20 PM
Updated: TLS-LUA parser is live! Update the parser and the feed "alertids_suspicious"
The parser looks at the SSL/TLS version being used for the session, and
registers an alert.id if SSL 3.0. It should show up in meta as:
risk.suspicious: ssl3.0
threat.category: vulnerability
threat.source: netwitness
Happy Hunting!