POODLE Exploit: Tail Wagging the Dog
Author: Frank Gifford.
Google researchers1 pointed out yet another flaw with SSL version 3.0 via CVE 2014-3566, which they have nicknamed POODLE ("Padding Oracle On Downgraded Legacy Encryption"). Note that “Oracle” in this context has nothing to do with the company by that name. Instead it’s the wise one who can tell you whether your guess is right or wrong2.
This attack is, fortunately, more theoretical in nature, but is still important. Essentially, a Man-in-the-Middle can modify packets in such a way that we might be able to decrypt a request one byte at a time.
This comes about from the underlying design of SSL version 3.0. For a plaintext message we append a Message Authentication Code (MAC) and then pad the remaining data for the underlying cipher. This is a natural design if we assume that the encryption is somehow a “layer” that exists just below the plaintext/authentication. But this design is actually a flaw.
The padding is a sequence of random bytes and then the final byte is the number of bytes we added. So for the AES cipher, we would add anywhere from zero to fifteen bytes of randomness and then one byte of the length to make the overall length a multiple of sixteen bytes.
Imagine that we have a full block of padding at the end (the Google paper describes how we can achieve this). Now take an earlier cipher block in that stream and replace the cipher block at the end. There is a 1/256 chance that we will decrypt the final byte correctly (and the other bytes will be garbage). In this case, the server will strip the padding. Since the padding size is correct, the server is able to verify the message authentication and will accept the message.
Knowing that we succeeded, we have an easy mathematical relationship about a plaintext byte that corresponds to the cipher block we copied. Now, we’ve leaked one byte of something that was strongly encrypted. With a bit of work, we can repeat the process to extract the remaining data. This could be cookies or passwords. Ultimately, this is an important attack since we can extract data while using a strong cipher.
Locking the Dog Door
Now for the good news: You can avoid this particular attack by not using SSL version 3.0. If you were writing some kind of IPS, you can have a rule that repeated cipher blocks are “suspicious” and shouldn’t be allowed, since the chance of two cipher blocks being the same in CBC mode is 1/(2^128). Certainly a simpler approach is to look for multiple SSL failures. We’ve supplied a Strike in our latest ATI update to help you assess your security defenses against POODLE.
For your personal browser, you should disable SSL version 3.0, this link3 provides some instructions to walk you through that process. If you’d really like to get into the weeds about SSL version 3.0,4 is definitive.
The warning for security designers is the never ending process:
- Security design involving crypto is harder than it appears: a strong cipher and message authentication are not enough
- Stay up to date with security research
- Verify you have all your systems patched
- Test your IPS and critical systems to verify that they aren’t vulnerable to attacks
- There is ongoing work to address this sort of issue, one example:5
Leverage Subscription Service to Stay Ahead of Attacks
- The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.