Here we are back on the POODLE vulnerability (Padding Oracle On Downgraded Legacy Encryption). Everybody thought that the problem was solved, but that’s not the case. Our advice is still valid but it’s now becoming more and more urgent to take additional security measures.

POODLE

Why do organisations have to stay protected?

If you are running a business that involves handling cardholder data (CHD), keep an eye on the PCI DSS requirement 4.1, which states that organisations must:

“Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.”

If the server supports weak cryptography and protocols, CHD is at risk together with your compliance, potentially causing serious consequences for your business and reputation.

The urge to stop using Secure Socket Layer version 3.0 for all the organisations that handle customer information and CHD is growing. The NIST publication 800-52r1, which has not been updated recently, already stated that Secure Socket Layer version 3.0 should not be used and recommended the move to TLS 1.2 by January 2015.

Responding to this vulnerability, Mozilla has already stopped supporting SSL version 3.0 and their new release doesn’t support it anymore.

Microsoft has issued instructions and are working on a solution. Google Chrome will no longer support Secure Socket Layer version 3.0 from the next release as announced already when the vulnerability was discovered last October.

What are the latest findings about this vulnerability?

As said already, disabling Secure Sockets Layer version 3.0 support on your server will prevent individuals using vulnerable browsers from being exposed. However, there is a new problem announced relating to the implementation of Transport Layer Security 1.2. The lack of formatting for padding gave rise to the original  attack and it has now been discovered that some implementations, such as those used within the F5 Load Balancers, do not check the padding structure following decryption and are also vulnerable to a variant of the original attack.

PCI DSS requirement 6.1 requires organisations to ensure that vendor supplied security patches are applied to protect all system components and software from known vulnerabilities, so you should look to apply patches as shortly after release from the vendors.

“Establish a process to identify security vulnerabilities, by using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as 'high,' 'medium,' or 'low') to newly discovered security vulnerabilities.”

What is the solution for organisations to stop the POODLE?

Advantio recommends that organisations who process CardHolder Data, disable the use of old certificates as soon as possible. Then check with vendors to ensure that the implementation of Transport Layer Security 1.2 is not vulnerable and validate the padding format.

Are you a cardholder and you want to protect yourself?

Here a short guide on how to solve the problem in the most commonly used browsers. Make sure you do this if you’re using a browser that still allows SSL version 3.0 or older and TLS version 1.1 or older:

Internet Explorer

  1. Open Internet Explorer and click on “Settings”
  2. Choose “Internet Options” and select the “Advanced” tab
  3. Make sure to deactivated all the certificates excepts for the Transport Layer Security version 1.2

    Internet Explorer TLS 1.2

  4. Click on “Apply”
  5. Take also a look at this article for more information

 

Mozilla Firefox

  1. Open Mozilla and type in the address bar “about:config”
  2. Accept the warning from Mozilla
  3. Search the line “security.tls.version.min” and double click on it
  4. Set the integer value to “1”

    Click to enlarge
  5. Close the window

 

Google Chrome (for Windows users)

While waiting for the next release of Google Chrome, you can protect yourself by using a simple solution, as it follows:

  1. Locate the Google Chrome shortcut to launch the browser
  2. Right click on it and select “Properties”
  3. Once in Properties, find the “Target” field. If you’re using Windows it should contain something like this:


    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

  4. Add at the end of the link the following text and click on “Apply”.

    --ssl-version-min=tls1

  5. The new target should now look like this:

    Google Chrome TLS

 

Apple Safari

Apple has released a series of patches that you can download and install on your own. Follow this link to find out more about how to protect your Safari browser.

 

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA