POODLE :- Padding Oracle On Downgraded Legacy Encryption
WHAT IS :
It
is a newly discovered vulnerability on the basic protocol used for
encrypting the web traffic. POODLE affects SSLv3 or version 3 of the
Secure Sockets Layer protocol.
HOW IS :
It’s
not as serious as the recent Shellshock and Heartbleed vulnerabilities,
but POODLE could allow an attacker to hijack and de-crypt the session
cookie that is used for identifying the user without repeatedly giving
the password, each time when you using the web services like email,
social networking and more account related ones.
Browsers
are particularly vulnerable because session cookies are short and an
ideal target for plain text recovery, and the way HTTPS works allows an
attacker to generate passwords. Browsers are also most likely to
implement the compatibility fallback.
FIX :
It has already been fixed through iterative protocol improvements, leading to the current TLS version.
But many of the browsers are still using the SSLv3, So it become important to resolve this issue
FOR RESOLVING :
Disabling SSL 3.0 will obviously prevent exposure to future SSL 3.0-specific issues.
For doing this, there is a simple method
For apache :: (tested and verified)
Add the below to apache configuration file and restart apache.
#vi /usr/local/apache/conf/httpd.
Add the below line
SSLProtocol all -SSLv2 -SSLv3
For cPanel servers, also update distiller through following command
#/usr/local/cpanel/bin/apache_
Then restart apache service.
#/etc/init.d/httpd restart
For Nginx :: (tested and verified)
Remove SSLv3 from nginx configuration file usually located in
/etc/nginx/nginx.conf
or
/usr/local/nginx/conf
Locate the directive ssl_protocols in the configuration file.
This may look like
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
Remove the directives, SSLv3
Then it will be like :
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Now restart your nginx service
#nginx -s reload
For verifing that the sslv3 is disabled :
Create a file "test.sh" and copy the following scripts
#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect "${1-`hostname`}:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
if echo "${ret}" | grep -q 'Cipher.*0000'; then
echo "SSL 3.0 disabled"
else
echo "SSL 3.0 enabled"
fi
else
echo "SSL disabled or other error"
fi
then run the script using "./test.sh" command
The command will return 'SSL 3.0 enabled' if vulnerable and 'SSL 3.0 disabled' if not.
Thank you for visiting..
Please feel free to post your comments
Visit again.......!
No comments:
Post a Comment