This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Poodle and You

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-10-15 10:24 PM

As many of you are aware, today we all had to become familiar with yet another SSL vulnerability:

 

SSLv3 vulnerability (CVE-2014-3566) AKA "Poodle" or the 'Padding Oracle On Downgraded Legacy Encryption' attack.

 

Right now the general advice is to first check to see if you are running  the vulnerable SSL version, and if so to disable it. The team over at Red Hat have provided a simple script that will immediately let you know if you have SSLv3 enabled on your Linux-based servers. You can find that script here:

 

https://access.redhat.com/articles/1232123

 

The bottom line is that the  vulnerability is a flaw in a protocol dating from 1996. It is very unlikely a fix will be provided.  A more secure alternative is to employ TLSv1.1 or TLSv1.2 and disable SSLv3 support in any internal clients and servers in your environment. TLSv1.0 is not a safe replacement.

 

The Security Analytics Content Team is in the process of modifying our LUA TLS parser to identify and flag SSLv3 communications. The parser is still being put through our QA testing scenarios and should be available in Live within the next 12-24 hours. In regards to Poodle, this parser's primary benefit will be to flag SSLv3 sessions to assist your organization with finding vulnerable devices on your network. It does not mitigate the need to disable the protocol.

 

While not as serious as some of the SSL/TSL vulnerabilities that came before it, it's still presents a target in your environment. If you didn't already disable support for the protocol after the release of the BEAST attack tool in 2011, now is an ideal time to do so.

 

A collection of methods for disabling SSLv3 on various web servers and clients can be found below.

 

<DISCLAIMER>

The information contained on the following link has not been validated by RSA, nor is there any implied support for the methods described. It is provided as a courtesy for inquisitive readers wanting to know more about how others are disabling the vulnerable protocol.

</DISCLAIMER>

 

https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

 

This thread will be updated as soon as we have finished  internal testing of the TLS parser update and it has been made available on Live.

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-10-16 12:20 PM

Updated: TLS-LUA parser is live! Update the parser and the feed "alertids_suspicious"

 

 

The parser looks at the SSL/TLS version being used for the session, and
registers an alert.id if SSL 3.0.  It should show up in meta as:

 

 

risk.suspicious:  ssl3.0

threat.category: vulnerability

threat.source:  netwitness

 

 

Happy Hunting!

View solution in original post

1 REPLY 1

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-10-16 12:20 PM

Updated: TLS-LUA parser is live! Update the parser and the feed "alertids_suspicious"

 

 

The parser looks at the SSL/TLS version being used for the session, and
registers an alert.id if SSL 3.0.  It should show up in meta as:

 

 

risk.suspicious:  ssl3.0

threat.category: vulnerability

threat.source:  netwitness

 

 

Happy Hunting!

© 2022 RSA Security LLC or its affiliates. All rights reserved.