The holiday freeze is upon us—that time of year when updates and patches to systems are delayed until after the first of the year. However, the return of a pesky canine has IT security experts scrambling to get patches applied.
The POODLE is back! Publicly revealed in October, this exploit (Padding Oracle On Downgraded Legacy Encryption) takes advantage of the way some browsers deal with encryption. As a result, the Secure Sockets Layer (SSL) 3.0 protocol for encryption and authentication in most browsers was replaced by the Transport Layer Security (TLS) protocol. Unfortunately, browsers will have to be checked and patched again for this new vulnerability, due to new information discovered by experts.
Lucian Constantin, Romanian Correspondent for the IDG News Service, provides the following details regarding the latest iteration of POODLE, recently published in PCWorld:
Initially, researchers believed it affected only SSL 3.0, an aging protocol superseded by TLS 1.0, 1.1. and 1.2. That still put users at risk, since most browsers and servers still supported SSL 3.0 for backward-compatibility reasons. Attackers were able to force a connection downgrade from TLS to SSL and then exploit the vulnerability.
Security researchers have now discovered that the issue also affects some implementations of TLS in products that don’t properly check the structure of the “padding” used in TLS packets.
Google security engineer Adam Langley built a scanner to find out if other products are affected. He found that some major sites were vulnerable, and it turned out to be because they were using load balancers from F5 Networks and A10 Networks to handle the TLS connections.
“F5 have posted patches for their products and A10 should be releasing updates today,” Langley said Monday in a blog post. “I’m not completely sure that I’ve found every affected vendor but, now that this issue is public, any other affected products should quickly come to light.”
Website administrators who want to check if their servers—or load balancers used in front of their servers—are vulnerable, can use the Qualys SSL Labs Server Test, which has been updated to detect the problem. If vulnerability is discovered, apply the patch provided by your vendor.
For more information regarding the POODLE exploit, read the full PCWorld article.
APPLICATION DEVELOPMENT: Blue Mountain Data Systems is dedicated to Application Development and Systems Integration for Federal Civilian Agencies, Document Management Systems that help in the preparation, scanning, indexing, categorizing and quality control of millions of pages of paper documents to electronic format and the Automation of Workflow Processes. Call us at 703-502-3416.