Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

["Keller, Alex" <axkeller () STANFORD EDU>]

Nmap will work for building a quick list of SSLv3 enabled hosts. This syntax only checks 443, but you can add other 
ports as needed. Substitute your CIDR range for 10.10.10.0/22:

nmap -sT -Pn -p 443 10.10.10.0/22 --script ssl-enum-ciphers.nse | grep "SLv3:.$" -B 5 -A 15 > SSLv3_hosts.txt

For those just catching up with their POODLES; relevant synopsis from the research paper "This POODLE Bites: Exploiting 
The SSL 3.0 Fallback":

"In the web setting, this SSL 3.0 weakness can be exploited by a man in the middle attacker to decrypt "secure" HTTP 
cookies, using techniques from the BEAST attack. To launch the POODLE attack (Padding Oracle On Downgraded Legacy 
Encryption), run a JavaScript agent on evil.com (or on http://example.com) to get the victim's browser to send cookie 
bearing HTTPS requests to https://example.com, and intercept and modify the SSL records sent by the browser in such a 
way that there's a nonnegligible chance that example.com will accept the modified record. If the modified record is 
accepted, the attacker can decrypt one byte of the cookies."

So this is a MITM technique, attacker with promiscuous network access (open Wi-Fi, physical/logical access to the 
network infrastructure) could intercept traffic and tamper with SSL requests back to the server in a manner that allows 
the recovery of cookie data one byte at a time by guessing, if the server accepts the record the byte is correct, if 
not, guess again. 

Additional info:
https://www.imperialviolet.org/2014/10/14/poodle.html
http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html 

Thanks to my esteemed colleagues for helping me wrap my head around how this works.

Best,
alex

Alex Keller
Information Technology
Stanford School of Engineering
axkeller () stanford edu  
(650) 736-6421


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alan 
Amesbury
Sent: Thursday, October 16, 2014 7:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

On Oct 15, 2014, at 11:44 , Paul Howell <phowell () internet2 edu> wrote:

> Given the large deployment of perfSONAR in our environments, I wanted to share the following.

While probably useless to those studying veterinary medicine, there's a poodle prober publicly available:

        https://github.com/jeffmurphy/poodle-prober/blob/master/sslv3check.py


-- 
Alan Amesbury
University Information Security