Tech Solvency / The Story So Far / POODLE (CVE-2014-3566)

or, "How to disable SSLv3 everywhere if you can, or mitigate POODLE if you can't"


If you see something missing, please let me know!


Summary

POODLE is a padding oracle attack that affects all SSLv3 clients and servers (because it is a protocol issue, not an implementation issue). It is not like Heartbleed in that it requires MitM to exploit. It is similar to BEAST. A new-ish extension to SSL (TLS_FALLBACK_SCSV) fixes it long term. Google/Chrome is already deploying it, and it is also in the latest OpenSSL. But do not let that deter you from moving now to start eliminating SSLv3.

If you can get away with disabling SSLv3 server-side, I'd do it. For clients you don't control, IE6 on XP is the biggest client impact, but don't forget non-HTTP services (SSL VPN, SMTP STARTTLS, etc.) For clients you do control, it's time to disable SSLv3. Expect long-tail echoes of embedded devices, APIs, and similar fallout. PayPal and downstream shopping carts are likely to be tricky.

Many products that can disable SSLv3 may not have all of the newer protocols enabled. If TLS 1.0 is the only option, take it. If TLS 1.1 and 1.2 are available, use them and disable TLS 1.0 if you can. Note that this may affect more clients.

In a broad sense, more SSLv3 discoveries are likely, and may be worse. Press now to turn down SSLv3 wherever you can. Where you can't, consider proxying, tunneling, or isolating subnets. If only access to specific sites is needed, filter to allow SSLv3 to only those sites, and provide an alternate client/browser for all other work.

I am not a PCI/HIPAA expert, but I suspect that many auditors will now see SSLv3 as being "an insecure protocol" - on the same blacklist as SSLv2. At a minimum, consider creating a documented sunset/containment/isolation plan so that remediation is demonstrably underway. Remote management (HP ILO, IPMI/BMC) on in-scope systems would also be a juicy target.

Note that a couple of experts have asserted that POODLE can only be practically exploited using JavaScript in a web browser, so prioritize your mitigation accordingly.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
US-CERT: https://www.us-cert.gov/ncas/alerts/TA14-290A
SecurityFocus: http://www.securityfocus.com/bid/70574

If you see something missing, please let me know!


Discovery

Pre-announcement: http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/

Independent speculation then ended up being right:
From Thomas Pornin, one of the highest-ranked guys on the security Stack Exchange:
http://chat.stackexchange.com/transcript/message/18152298#18152298
"@RоryMcCune I don't have a twitter account. If you want, you may answer in my name: "my guess is a BEAST-like attack that abuses the ignored bytes in SSL 3.0 padding (1/256 chance of unnoticed alteration, modifies IV for next record).
Workaround: deactivate SSL 3.0 support (in browsers or servers or both)."

Official announcement and writeup from discoverers:
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
- Also see their list of all SSLv3-only IPs here: https://poodle.io/ipv4trusted.html
https://www.openssl.org/~bodo/ssl-poodle.pdf

Analysis

Technical

Thomas Pornin: https://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
Adam Langley (Google) - excellent: https://www.imperialviolet.org/2014/10/14/poodle.html
- and then, Google announced that they are disabling SSLv3 fallback: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4
Daniel Stenberg (Mozilla/cUrl): http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/
Ivan Ristic (Qualys SSL Labs): https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
Juliano Rizzo @julianor: POODLE less requirements than BEAST but slower than CRIME
Daniel Franke (technical historic analysis): https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html

Cisco: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Poodle_10152014.html and http://tools.cisco.com/security/center/viewAlert.x?alertId=36084
Rapid7: https://community.rapid7.com/community/infosec/blog/2014/10/14/poodle-unleashed-understanding-the-ssl-30-vulnerability

Industry commentary

John Bonneau on inconsistent browser-vendor response (motivating the wrong consumer choices): https://freedom-to-tinker.com/blog/jbonneau/poodle-and-the-fundamental-market-failure-of-browser-security/

Attack Surface

zmap.io survey: https://zmap.io/sslv3/ aka https://poodle.io/. This also shows Alexa sites still supporting SSLv3, and other useful data. Also includes links to client and server mitigations.

ICSI Berkeley stats: http://notary.icsi.berkeley.edu/2014/10/16/sslv3-poodle-attack/

Detection and testing

Web-based

SANS ISC (client): https://www.poodletest.com/
Qualys SSL Labs (client): https://www.ssllabs.com/ssltest/viewMyClient.html
Qualys SSL Labs (server): https://www.ssllabs.com/ssltest/analyze.html Qualys SSL Labs (server - beta / sneak preview of new tests, stay ahead of the curve): https://www.ssllabs.com/ssltest/analyze.html
Poodlebleed (server): http://poodlebleed.com/
poodletest.co (server): http://poodletest.co/

Command-line

Bash nmap one-liner (server):

nmap --script ssl-enum-ciphers -p 443 example.com | grep -A 1 SSLv3: \
    | if grep -q "No supported ciphers found"; then echo -e "\e[32mSecure\e[39m"; else echo -e "\e[31m\e[1mVulnerable\e[39m\e[0m"; fi

- A new POODLE-specific nmap NSE script: http://nmap.org/nsedoc/scripts/ssl-poodle.html
- Recommended usage: nmap -sV --version-light --script ssl-poodle 192.168.254.0/24

- Accuvant nmap:
nmap -T3 -n -vvv -PN -sV --open --script=ssl-enum-ciphers -web-xml -oA POODLE_SCAN -iL targets.txt

openssl (HTTP): openssl s_client -ssl3 -connect [host]:[port]
openssl (non-HTTP): openssl s_client -starttls [smtp|pop3|imap|ftp|xmpp] -ssl3 -connect [host]:[port]

curl: curl -v -3 -X HEAD https://www.example.com

testssl.sh - a self-contained Bash script that can be used to scan internal resources that Qualys SSL Labs can't reach. Recommended. Use the -O option to specifically just test for POODLE.

Products

Qualys: https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/10/16/sslv3-and-poodle-attacks
Rapid7 Nexpose: (NOTE: requires both OS/platform update and signatures update): https://community.rapid7.com/community/nexpose/blog/2014/10/15/block-the-poodle-s-bite-how-to-scan-for-cve-2014-3566
- Note also that Nexpose interface itself now has SSLv3 disabled by default (can be re-enabled).
--- Add the following line to the CustomEnvironment.properties file located at [INSTALLATION_PATH]/nsc/CustomEnvironment.properties:
--- com.rapid7.nexpose.nsc.sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv3"
--- Then restart Security Console.
Symantec Endpoint Protection (SEP): signature here: http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27959
Tenable Nessus: http://www.tenable.com/plugins/index.php?view=single&id=78479
- stunnel plugin http://www.tenable.com/plugins/index.php?view=single&id=78584
Trustwave TrustKeeper: blog.spiderlabs.com/2014/10/trustkeeper-scan-engine-update-october-15-2014.html
WhiteHat Sentinel: https://blog.whitehatsec.com/what-you-need-to-know-about-poodlessl-3-0-vulnerability/

Pending

Testing not yet supported, but may be soon:
https://www.howsmyssl.com/

IDS/IPS

Check Point has released IPS signatures: http://www.checkpoint.com/defense/advisories/public/2014/cpai-15-oct1-3.html
Netwitness (RSA): detection support added to TLS-LUA parser. https://community.emc.com/thread/200930
Security Onion (general SSLv3 monitoring): http://blog.securityonion.net/2014/10/new-securityonion-web-page-package-adds.html
Snort rules: https://www.snort.org/advisories/vrt-rules-2014-10-15
HP Tippingpoint: none at this writing, but may show up in this search.

Logging

Apache/nginx syslogging, pcap extraction with tshark: https://isc.sans.edu/diary.html?storyid=18847&rss

Mitigation and Remediation

Good general resources

https://isc.sans.edu/diary/POODLE%3A+Turning+off+SSLv3+for+various+servers+and+client.++/18837
Reddit thread (OK): https://www.reddit.com/r/sysadmin/comments/2jbfry/poodle_mitigation_disable_sslv3/
Good general cipher refs:
Hynek: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Excellent, detailed Mozilla reference with recommendations for many platforms: https://wiki.mozilla.org/Security/Server_Side_TLS
- See also the awesome Mozilla SSL Config Generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/
BetterCrypto guide (PDF, excellent): https://bettercrypto.org/static/applied-crypto-hardening.pdf

Server-side: Disable SSLv3.

Good lists of server howtos:
https://zmap.io/sslv3/servers.html
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566

Adobe Connect: https://blogs.adobe.com/connectsupport/disable-sslv3-on-any-means-of-ssl-encryption-used-to-secure-on-premise-adobe-connect/
Apache: SSLProtocol -SSLv3 -SSLv2
- An interesting script for disabling SSLv3 in many Apache configs: https://github.com/stdevel/poodle_protector
AWS elastic load balancers: http://blog.matthewdfuller.com/2014/10/how-to-disable-sslv3-on-aws-elastic.html
IBM WebSphere: http://www-01.ibm.com/support/docview.wss?uid=swg21687173
Java Jetty: https://stackoverflow.com/questions/26382540/how-to-disable-the-sslv3-protocol-in-jetty-to-prevent-poodle-attack
lighttpd: ssl.use-sslv3 = "disable" - but only versions 1.4.29 or higher - see this bug: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1381910
Nginx: ssl_protocols TLSv1.2 TLSv1.1 TLSv1
Puppet (Enterprise, PuppetDB, MCollective): http://puppetlabs.com/blog/impact-assessment-sslv3-vulnerability-poodle-attack
Tomcat and JBoss Web: https://access.redhat.com/solutions/1232233
Ubiquiti: patches in beta, or disable SSLv3 as noted here: http://community.ubnt.com/t5/EdgeMAX/POODLE-CVE-2014-3566/m-p/1057321
Also consider upgrade to OpenSSL 1.0.1j /1.0.0o / 0.9.8zc : https://www.openssl.org/news/secadv_20141015.txt
- Or apply OpenSSL patch (harder): http://marc.info/?l=openssl-dev&m=141333049205629&w=2

Very interesting idea: send anyone using SSLv3 to a help page: (idea from http://pastebin.com/Uhvq68rA) :

RewriteEngine On
RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$
RewriteRule ^.*$ https://zmap.io/sslv3/browsers.html [L,R=302]

Example: https://www.alpca.org/ (should redirect to zmap.io site if your SSL client negotiates SSLv3)

Server-side (non-HTTP): Disable SSLv3.

Credit for some: StackExchange answer
Barracuda: For each "service" (site): Basic -> Services -> Edit -> SLL -> SSL Protocols, then click the Disable radio button for SSL 3.0 -> Save. See: https://techlib.barracuda.com/waf/configssl
- May also need to upgrade to firmware 6.1.5.003: https://community.barracudanetworks.com/forum/index.php?/topic/24240-ssl-poodle-fix/
Dell: ?
Clearswift: ?
Courier: in /etc/courier-imap/pop3d.ssl and imapd-ssl, add !SSLV3 to TLS_CIPHER_LIST.
Dovecot: In /etc/dovecot/local.conf or /etc/dovecot/conf.d, ssl_protocols = !SSLv2 !SSLv3 - see http://nullr0ute.com/2014/10/disable-sslv3-in-dovecot/
Fortinet: http://www.fortiguard.com/advisory/2014-10-15-ssl-v3-poodle-vulnerability
Mailborder: ? (no mention in docs, and this search has zero hits)
McAfee Email Gateway (MEG): (requires version 7.5.3 + HF971179 (3016.109) or later or 7.6.2H1008011 (3044.109) or later): https://community.mcafee.com/community/business/email_web/meg/blog/2014/10/16/how-to-disable-sslv3-for-meg-smtp
- Disable SSLv3: https://kc.mcafee.com/corporate/index?page=content&id=KB83165 - Patches for OpenSSL pending: https://kc.mcafee.com/corporate/index?page=content&id=KB83178
Mimecast: not affected? https://kb.mimecast.com/About_Mimecast/Security_Matters/Information_on_the_POODLE_vulnerability
Postfix: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Proofpoint: ? (not clear; Sendmail-based, so might be feasible to modify an internal .mc file to use ServerSSLOptions and ClientSSLOptions to use the +SSL_OP_NO_SSLv3 command, but this may void warranties; consider opening a ticket with vendor)
Sendmail (sendmail.mc): LOCAL_CONFIG O CipherList=HIGH O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
SilverSky: ? (no mention on site, but this search may yield results someday)
Sophos: https://www.sophos.com/en-us/support/knowledgebase/121509.aspx
Symantec: https://support.symantec.com/en_US/article.TECH225622.html
Trustwave: https://www3.trustwave.com/support/kb/KnowledgebaseArticle20003.aspx
WatchGuard: ?

Client-side: Disable SSLv3.

Good lists of client howtos:
https://zmap.io/sslv3/browsers.html
https://isc.sans.edu/diary/POODLE%3A+Turning+off+SSLv3+for+various+servers+and+client.++/18837
Stack Exchange thread: http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566

Web browsers - desktop

Firefox plugin: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Firefox client workaround: about:config -> security.tls.version.min = 1 (and make sure that max is 1 or more)
Chrome client workaround: command line flag --ssl-version-min=tls1
... on Mac OS, try: https://apple.stackexchange.com/questions/150647/best-way-to-disable-sslv3-in-chrome-for-poodle-vulnerability
Chrome and Chromium being updated to support the new fallback protection.
- but will be disabling SSLv3 fallback entirely in Chrome 39, and SSLv3 completely in Chrome 40: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4
Internet Explorer: Internet Options -> Advanced tab -> uncheck 'SSLv3', make sure that TLS options are checked.
- or GPO: https://technet.microsoft.com/en-us/library/security/3009008.aspx#ID0EBG
Lynx: ? - other than disabling SSLv3 in the underlying OpenSSL, no clear remediation
Opera: upgrade. http://blogs.opera.com/security/2014/10/security-changes-opera-25-poodle-attacks/
- *very* interesting alternative method - "record splitting" - used by Opera team!
Safari: may be no way to disable? https://discussions.apple.com/thread/6597955
TorBrowser: https://blog.torproject.org/blog/new-sslv3-attack-found-disable-sslv3-torbrowser

Web browsers - mobile

Android: upgrade.
Blackberry: upgrade.
Chrome: update to latest; if older, see https://zmap.io/sslv3/browsers.html.
Firefox: update to latest; if older, see link above
Opera: update to latest; if older, see link above

Operating systems

Apple OS X 10.10 Yosemite: fixed in this release, as per: http://support.apple.com/kb/HT6535 and http://seclists.org/bugtraq/2014/Oct/102

Proxies

Astaro: https://www.astaro.org/gateway-products/web-server-security/54131-poodle-how-disable-sslv3.html
Barracuda: upgrade to 7.9.0.020: http://updates.cudasvc.com/cgi-bin/view_release_notes.cgi?type=bwsware&platform=2&version=7.9.0.020
- Disables SSLv3 in GUI, compiles in OpenSSL 1.0.1j with TSL_FALLBACK_CSCV, and now shows SSL protocol used in access and web firewall logs.
- Other information may show up in this search.
Blue Coat: https://www.bluecoat.com/security-blog/2014-10-15/backwards-compatibility-exposes-users-web-encryption-bug
Cisco/Ironport: still under investigation by Cisco, see: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
McAfee Web Gateway (MWG): https://community.mcafee.com/thread/74180 - Policy -> Settings -> Engines -> SSL Scanner -> Default Certificate Verification -> SSL Protocol version ->
- Set 'Use SSL 3.0' to 'off'
- Set 'use alternative handshake settings after handshake failure' to 'off'
- See also this guide for both client-side and server-side approaches: https://community.mcafee.com/docs/DOC-6559)
F5 Secure Web Gateway: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
Squid: http://www.squid-cache.org/Doc/config/sslproxy_options/ - sslproxy_options=NO_SSLv2 NO_SSLv3
stunnel: http://serverfault.com/questions/637312/protecting-against-poodle-ssl-on-stunnel
Trend Micro InterScan: http://esupport.trendmicro.com/solution/en-US/1105509.aspx
Trustwave Secure Web Gateway (SWG): https://www3.trustwave.com/support/kb/KnowledgebaseArticle19999.aspx
Websense Content Gateway: uses SSLv3 by default. Be sure to enable TLS 1.1 and 1.2 (TLS 1.0 not recommended). https://www.websense.com/support/article/kbarticle/SSLv3-POODLE-Vulnerability-CVE-2014-3566
Zscaler: nothing yet, may show up in this search

Alternative: implement fallback protection (TLS_FALLBACK_SCSV) in your SSL stack.

OpenSSL patch: http://marc.info/?l=openssl-dev&m=141333049205629&w=2
... which implements TLS_FALLBACK_SCSV: https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Many Linux distros will receive this automatically when OpenSSL is upgraded.

Alternative: record splitting

Opera: upgrade to get record splitting. http://blogs.opera.com/security/2014/10/security-changes-opera-25-poodle-attacks/
Other platforms: unknown

Alternative: patch to support TLS_FALLBACK_SCSV, disable all CBC ciphers, and enable RC4?

Preliminary research indicates that if RC4 and TLS_FALLBACK_SCSV are enabled, IE6 and IE8 on XP should still be able to connect. Note, however, that Ivan Ristic of SSL Labs does not recommend this approach.
- Ref: http://serverfault.com/a/637843/40999
- According to a post from Dr. Stephen Henson, core OpenSSL developer: "If you disable CBC ciphers then you're only left with GCM and RC4. RC4 can't be used with TLS and GCM is only supported in DTLS 1.2."
- Relevant thread: http://openssl.6102.n7.nabble.com/Fwd-How-to-tweak-openSSL-vulnerabilities-CVE-2013-0169-td47311.html

It is claimed that you can disable all CBC ciphers, but I am not yet able to successfully do this. NOTE: It is up to you to determine the consequences for your user base. Preliminary research indicates that if RC4 is enabled, IE6 and IE8 on XP should still be able to connect.

To determine which CBC ciphers are supported is platform-dependent.

OpenSSL

There is no way to disable all CBC ciphers that I am aware of; rather, you have to disable all of the ones supported by the current OpenSSL. This means that if others are added later, you must disable the new ones manually.

$ openssl ciphers | sed 's/:/\n/g'  | grep CBC | sort
DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
IDEA-CBC-SHA
KRB5-DES-CBC3-MD5
KRB5-DES-CBC3-SHA
KRB5-IDEA-CBC-MD5
KRB5-IDEA-CBC-SHA
PSK-3DES-EDE-CBC-SHA
PSK-AES128-CBC-SHA
PSK-AES256-CBC-SHA

Generating the list in cipher-disabling syntax (line breaks are artificial; this is one long string):

$ openssl ciphers | sed 's/:/\n/g'  | grep CBC | xargs | sed 's/ /:!/g;s/^/!/g'
!PSK-AES256-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!EDH-DSS-DES-CBC3-SHA:
!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:!DES-CBC3-SHA:!IDEA-CBC-SHA:!PSK-AES128-CBC-SHA:!PSK-3DES-EDE-CBC-SHA:
!KRB5-IDEA-CBC-SHA:!KRB5-DES-CBC3-SHA:!KRB5-IDEA-CBC-MD5:!KRB5-DES-CBC3-MD5

Alternative: firewall controls

iptables: https://blog.g3rt.nl/take-down-sslv3-using-iptables.html

Products

Vulnerable, or mixed:

Apple
- Safari (desktop): https://support.apple.com/kb/HT6531
- Apple TV: https://support.apple.com/kb/HT6542
Asterisk: http://downloads.asterisk.org/pub/security/AST-2014-011.html
Attachmate: http://support.attachmate.com/techdocs/2750.html
Bomgar: https://www.bomgar.com/community/post/bomgar-update-for-poodle
Blue Coat: https://bto.bluecoat.com/security-advisory/sa83 or search for CVE-2014-3566
Brocade (PDF): http://www.brocade.com/downloads/documents/technical_support_bulletins/brocade-assessment-openssl-poodle-vulnerability.pdf
CA: (just a "see our support site" blurb): https://communities.ca.com/community/product-vulnerability-response/blog/2014/10/15/ssl-30-poodle-cve-2014-3566-vulnerability?sr=stream&ru=1630471
Canonical / Ubuntu: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3566.html
Check Point: (IPS module info, and how to set minimum TLS version): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102989
Cisco: most products with an HTTP web interface are likely affected. http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
Citrix: https://support.citrix.com/article/ctx200238
cPanel: fixable, but Firefox won't do TLS on alternate ports?! https://www.webhostingtalk.com/showthread.php?p=9264208
- See this forums post from cPanel staff: http://forums.cpanel.net/f185/sslv3-vulnerability-432641-p4.html#post1751021
- and the overall thread: http://forums.cpanel.net/f185/sslv3-vulnerability-432641-p5.html
- See this thread: http://forums.cpanel.net/f185/sslv3-vulnerability-432641-p5.html
- CentOS 6.x patches add support for TLS_FALLBACK_SCSV, but may not fix the overall POODLE vulnerability.
Dell:
- TPAM Appliance: https://support.software.dell.com/tpam-appliance/kb/134669?lang=en-US&kblang=en-US
F5: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
Firefox: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
FreeBSD: only affects OpenSSL in FreeBSD 10. https://lists.freebsd.org/pipermail/freebsd-security/2014-April/007436.html
- VuXML: http://www.vuxml.org/freebsd/CVE-2014-3566.html, http://www.vuxml.org/freebsd/03175e62-5494-11e4-9cc1-bc5ff4fb5e7b.html
HAProxy: http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/
HP ILO: vulnerable, may never be patched; consider moving to isolated VLAN.
Imperva: http://www.imperva.com/Services/adc_advisories_response_poodle_CVE_2014_3566
Incapsula: http://www.incapsula.com/blog/poodle-sslv3-vulnerability.html
IPMI/BMC: probably none; consider isolating to separate VLAN.
Juniper: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656&cat=SIRT_1&actp=LIST, or this search
LANDESK: https://community.landesk.com/support/docs/DOC-33132
Metasploit: https://community.rapid7.com/community/metasploit/blog/2014/10/17/metasploit-weekly-wrapup-poodle-mitigations
McAfee Web Gateway: ?
Microsoft: https://technet.microsoft.com/en-us/library/security/3009008.aspx
- Exchange: same as general Microsoft above, then restart Exchange.
- IIS: https://support.microsoft.com/kb/187498
--- (or this simple .reg file)
--- (or use this free third-party widget to control IIS crypto: https://www.nartac.com/Products/IISCrypto/)
- For all, note that TLS 1.1 and 1.2 not on by default in 2008R2 - see bottom of this post: http://dave.harris.uno/poodle-vulnerability-and-disabling-sslv3/
MySQL: http://www.percona.com/blog/2014/10/15/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566/
Nebula: disabled SSLv3. https://www.nebula.com/blog/2014/10/16/security-engineering-nebula-wake-heartbleed-shells/
NetApp: https://library.netapp.com/ecmdocs/ECMP1155684/html/GUID-2DEFBBCC-F176-4FCA-9402-CCFDBD8A1D66.html
nginx: http://nginx.com/blog/nginx-poodle-ssl/
OpenWRT:
- Patched OpenSSL: https://dev.openwrt.org/browser/trunk/package/libs/openssl?rev=42947
- Patched PolarSSL: https://dev.openwrt.org/browser/trunk/package/libs/polarssl?rev=42947 Opera (interesting mitigation!) http://blogs.opera.com/security/2014/10/security-changes-opera-25-poodle-attacks/
Oracle: https://blogs.oracle.com/security/entry/information_about_ssl_poodle_vulnerability,
- Solaris 11.2 fix: https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6
- Sign-in required: https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1935500.1
- Oracle/Sun ILOM interfaces also run SSLv3, may be configurable; see https://community.oracle.com/thread/2246793?tstart=0
Parallels/Plesk: recommend disabling SSLv3. http://kb.sp.parallels.com/en/123160
pfSense: 2.1.x uses a vulnerable version of OpenSSL behind lighttpd, but no formal patch release yet (as of 2014-10-23 13:33)
- Manual patching (disables SSLv3): http://highsecurity.blogspot.com/2014/10/poodle-sslv3-vulnerabilities-fixes-on.html
- Forum thread: https://forum.pfsense.org/index.php?topic=82914.0
PolarSSL: https://polarssl.org/tech-updates/blog/sslv3-and-poodle-in-perspective
Puppet: risk low, but recommend disabling SSLv3. http://puppetlabs.com/blog/impact-assessment-sslv3-vulnerability-poodle-attack
QNAP: http://www.qnap.com/i/in/support/con_show.php?cid=63
Radware: https://kb.radware.com/questions/3599/Security+Advisory%3A+SSLv3+POODLE+Vulnerability+CVE+2014-3566
RedHat: https://access.redhat.com/articles/1232123
- backport of TLS_FALLBACK_SCSV: https://rhn.redhat.com/errata/RHSA-2014-1652.html
Riverbed: https://supportkb.riverbed.com/support/index?page=content&id=S25160
Solarwinds: uses OS SSL stack, see your OS docs. https://thwack.solarwinds.com/thread/69130
Splunk: http://www.splunk.com/view/SP-CAAANKE
Trustwave: https://www3.trustwave.com/support/kb/KnowledgebaseArticle20003.aspx
VMware: recommend disabling SSLv3. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2092133

Not vulnerable:
OpenVPN: https://forums.openvpn.net/topic17268.html

Responses (action taken by public services)

Accuvant: recommend disabling SSLv3. http://files.accuvant.com/web/file/5fb998f39c2648909894e86d86db99a6/POODLE_Bug_Advisory_V1_Final.pdf
Apple: disabled CBC ciphers under SSLv3 in Safari; no public statement. https://support.apple.com/kb/HT6531
Akamai: retiring SSLv3 by early November 2014: http://blogs.akamai.com/2014/10/ssl-is-dead-long-live-tls.html
- and https://blogs.akamai.com/2014/10/poodle-faq-what-akamai-customers-need-to-know.html
Amazon: recommend disabling SSLv3 in all clients and servers; upgraded to OpenSSL 1.0.1j in Linux AMIs; ELB no longer uses SSLv3.
- CloudFront howto: https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/
Bitnami: recommend disabling SSLv3. http://wiki.bitnami.com/security/2014-10-15_POODLE_issue_with_SSLv3_(CVE-2014-3566)
Blue Coat: recommend disabling SSLv3. https://www.bluecoat.com/security-blog/2014-10-15/backwards-compatibility-exposes-users-web-encryption-bug
Cloudflare: disabled SSLv3. https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/
DigitalOcean: recommend disabling SSLv3. https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability
EFF / HTTPS Everywhere: disabled SSLv3. https://twitter.com/EFF/status/522503371219935232
Fastmail: disabled SSLv3. http://blog.fastmail.fm/2014/10/15/ssl-3-0-disabled-due-to-security-vulnerability/
FireEye: recommend disabling SSLv3. http://www.fireeye.com/resources/pdfs/support-notices/fireeye-statement-about-poodle-ssl-3-0-vulnerability.pdf
Heroku: disabled SSLv3. https://status.heroku.com/incidents/678
HP (Helion): disabled SSLv3. https://community.hpcloud.com/article/cve%C2%AD-2014-%C2%AD3566%C2%A0-ssl-30-protocol-vulnerability
Jenkins project infrastructure: disabled SSLv3. http://jenkins-ci.org/content/cve-2014-3566-poodle-impact-jenkins
Joyent: recommend disabling SSLv3. https://help.joyent.com/entries/57703560-SSL-3-0-Vulnerability-CVE-2014-3566-POODLE-Advisory
Linode: disable SSLv3. https://linode.com/docs/security/security-patches/disabling-sslv3-for-poodle
MaxCDN: disabled SSLv3. http://status.maxcdn.com/incidents/56yt04j54dvt
McAfee: https://kc.mcafee.com/corporate/index?page=content&id=sb10090
Novell: recommend disabling SSLv3. http://www.novell.com/support/kb/doc.php?id=7015773
Palo Alto: recommend disabling SSLv3. http://researchcenter.paloaltonetworks.com/2014/10/poodle-like-1999/
Paypal: likely to impact customers and APIs/embedded, but going to disable SSLv3 ASAP: https://www.paypal-community.com/t5/PayPal-Forward/PayPal-Response-to-SSL-3-0-Vulnerability-aka-POODLE/ba-p/891829
- OXID shopping cart PayPal fix: http://forum.oxid-esales.com/showthread.php?p=151293
Princeton: disabled SSLv3. http://helpdesk.princeton.edu/outages/view.plx?ID=4757
Rackspace: recommend disabling SSLv3: http://www.rackspace.com/blog/ssl-protocol-3-0-vulnerability-aka-the-poodle-issue/
RedHat: recommend disabling SSLv3: https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/
Ruby: disabled SSLv3. https://github.com/ruby/ruby/blob/397271caa378d3d682a0b55fbc089b891567bde4/ChangeLog
Slack: disabled SSLv3. http://slackhq.com/post/100127829750/slack-and-servers
Suse: recommend disabling SSLv3: https://www.suse.com/communities/conversations/poodle-weakness-ssl-protocol-cve-2014-3566/
Symantec: recommend disabling SSLv3: http://www.symantec.com/connect/blogs/poodle-vulnerability-old-version-ssl-represents-new-threat
Trend Micro: recommend disabling SSLv3: http://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/what-to-do-as-experts-reveal-poodle-attack-on-flawed-ssl-3-0
Twitter: Disabled SSLv3. https://twitter.com/twittersecurity/status/522190947782643712
UC Berkeley: disabled SSLv3. https://security.berkeley.edu/content/poodle-ssl-30-vulnerability-cve-2014-3566
Websense: recommend disabling SSLv3. http://community.websense.com/blogs/securitylabs/archive/2014/10/15/sslv3-quot-poodle-quot-vulnerability-cve-2014-3566.aspx
Zendesk: disabled SSLv3. https://support.zendesk.com/hc/en-us/articles/203765356-Security-Announcement-POODLE-SSLv3-Vulnerability

Exploitation

Pending. Once exploits are published, since the attack is a padding oracle attack might be relatively easy to detect by IDS, snort, etc. but I am not an expert in this area.

https://github.com/EiNSTeiN-/poodle - proof-of-concept code, not tested by me

Matthew Green (Johns Hopkins) has a pretty good narrative description of how exploitation would generally work:
http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html

News and posts

Ars Technica: http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/
Dark Reading: http://www.darkreading.com/attacks-breaches/poodle-attacks-kills-off-ssl-30/d/d-id/1316663
David Wheeler: http://www.dwheeler.com/essays/poodle-sslv3.html
Errata Security: http://blog.erratasec.com/2014/10/some-poodle-notes.html
Fedora Magazine: http://fedoramagazine.org/what-you-need-to-know-about-the-sslv3-poodle-flaw-cve-2014-3566/
Google: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Hacker News (good tech info): https://news.ycombinator.com/item?id=8456178
Matthew Green: http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html
Nikos M, GnuTLS author: http://nmav.gnutls.org/2014/10/what-about-poodle.html
SANS: https://isc.sans.edu/diary/OpenSSL%3A+SSLv3+POODLE+Vulnerability+Official+Release/18827
Threatpost: http://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844
WhiteHat: https://blog.whitehatsec.com/what-you-need-to-know-about-poodlessl-3-0-vulnerability/ Wikipedia: https://en.wikipedia.org/wiki/POODLE
Wired: http://www.wired.com/2014/10/poodle-explained/

Other similar summaries

Mnemonic: http://www.mnemonic.no/en/Andre-sprak/English/Blog/Template-Vulnerability-Status-Update1/
Disable SSLv3 sites: http://disablesslv3.com/ | http://disablessl3.com/

Thanks

Thanks to the folks who helped contribute to this document. So far, all contributors have waived the right to be individually credited.

Whew!

If you see something missing, please let me know!


Return to The Story So Far (list of notable security events)