SSL POODLE Security Exploit
Created by Marty Heyman, last modified by Greg Noe on Jul 16, 2015
Problem
The POODLE SSL 3.0 Vulnerability is a relatively recently reported SSL (OpenSSL) vulnerability. For several reasons, the OpenLDAP Project and Symas are convinced that Symas OpenLDAP is not vulnerable to such an attack via any existing LDAP Client software. It is possible that some malicious coder could overcome the complexities of mounting such an attack but fortunately the solution to closing this vulnerability is quite simple (see below).
From the USA-CERT Description of the POODLE Vulnerability.
The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]
Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.
These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.
Our analysis of the POODLE Vulnerability is somewhat differrent than reported above. Howard Chu (Chief Architect of OpenLDAP) writes:
The USA-CERT description is inaccurate. “The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0” - no, the POODLE attack takes advantage of broken clients that violate the TLS version negotiation feature. Clients that implement version negotiation according to the actual TLS spec are not vulnerable to the POODLE attack.
The only known clients that break TLS version negotiation are web browsers; they intentionally break the handshake protocol to allow connecting to legacy servers. The “downgrade dance” does not occur in conforming TLS client software.
Even though this is not a very threatening issue, many customer installations continue to use SSL Version 3.0 when several more recent, proven versions are readily available and should be deployed instead.
Solution
To mitigate the POODLE vulnerability, users should specify a TLS version that implements an SSL Protocol version greater than 3.0. TLS Versions 1.0 implements SSL versions 3.1, TLS 1.1 is SSL 3.2, and TLS 1.2 is SSL 3.3. All are currently (January 2015) available in Symas OpenLDAP’s implementation.
Depending on the method used to specify configuration options to OpenLDAP the settings are:
- For the older slapd.conf file form of configuration specifications, TLSProtocolMin should be set to 3.1, 3.2, or 3.3
- For the cn=config form of configuration, olcTLSProtocolMin should be set to 3.1, 3.2, or 3.3
NOTE: the parameter name is a little misleading. TLSProtocolMin (olcTLSProtocolMin) actually specifies the SSL Protocol Version.