The POODLE vulnerability, or “Padding Oracle On Downgraded Legacy Encryption”, is a new security threat found within existing, though outdated, encryption technology.
This vulnerability is not as threatening as Heartbleed or Shellshock which could both be exploited via direct attack vectors. The POODLE vulnerability requires a man in the middle attack vector in order to be exploited.
Unfortunately this vulnerability does not have a specific solution or patch but rather multiple methods of reducing risk to exposure. Experts at Google, Microsoft, Mozilla, and others, have all posted possible methods to mitigate against the POODLE vulnerability.
Tier1Net is actively following all POODLE developments and will release a more detailed notice with information regarding the vulnerability and steps that can be taken to reduce exposure.
This vulnerability is not as threatening as Heartbleed or Shellshock
POODLE exposes a vulnerability in an outdated – but still used – web encryption technology SSL 3.0. Modern web browsers are designed to prefer the newer TLS encryption protocol when accessing a service secured via SSL. But most browsers will still accommodate SSL 3.0 traffic, if the host or client demands it. SSL 3.0 traffic, however, exposes a unique vulnerability for attackers to decrypt data sent between the client and server.
The conditions that are required for the attack to be applicable are hard to obtain.
It would not be easy to exploit this vulnerability however. “The conditions that are required for the attack to be applicable are hard to obtain.” said Itsik Mantin, director of security research at Imperva. “In particular, the attacker needs to become a man-in-the-middle between the attacked client and server, and to generate, block and modify client messages to the server and vice versa.” An attacker could then theoretically force the host/client connection to “fallback” to SSL 3.0, where the attacker could then potentially access data. An attack such as this would most likely occur on an unsecured public network, such as a Wi-Fi network at an airport.
In order to safeguard against POODLE, SSL 3.0 fallback must be blocked on all levels. Due to the scope and complexity of possible SSL 3.0 usage, a permanent blocking solution is not yet agreed upon. Blocking SSL 3.0 prematurely could break many existing websites: potentially blocking users from accessing a client’s own site, and also blocking employee’s from accessing business critical sites.
Tier1Net is actively following all recommendations and will keep its clients apprised of new developments.