Educause Security Discussion mailing list archives
Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
From: "Keller, Alex" <axkeller () STANFORD EDU>
Date: Thu, 16 Oct 2014 17:09:35 +0000
Nmap will work for building a quick list of SSLv3 enabled hosts. This syntax only checks 443, but you can add other ports as needed. Substitute your CIDR range for 10.10.10.0/22: nmap -sT -Pn -p 443 10.10.10.0/22 --script ssl-enum-ciphers.nse | grep "SLv3:.$" -B 5 -A 15 > SSLv3_hosts.txt For those just catching up with their POODLES; relevant synopsis from the research paper "This POODLE Bites: Exploiting The SSL 3.0 Fallback": "In the web setting, this SSL 3.0 weakness can be exploited by a man in the middle attacker to decrypt "secure" HTTP cookies, using techniques from the BEAST attack. To launch the POODLE attack (Padding Oracle On Downgraded Legacy Encryption), run a JavaScript agent on evil.com (or on http://example.com) to get the victim's browser to send cookie bearing HTTPS requests to https://example.com, and intercept and modify the SSL records sent by the browser in such a way that there's a nonnegligible chance that example.com will accept the modified record. If the modified record is accepted, the attacker can decrypt one byte of the cookies." So this is a MITM technique, attacker with promiscuous network access (open Wi-Fi, physical/logical access to the network infrastructure) could intercept traffic and tamper with SSL requests back to the server in a manner that allows the recovery of cookie data one byte at a time by guessing, if the server accepts the record the byte is correct, if not, guess again. Additional info: https://www.imperialviolet.org/2014/10/14/poodle.html http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html Thanks to my esteemed colleagues for helping me wrap my head around how this works. Best, alex Alex Keller Information Technology Stanford School of Engineering axkeller () stanford edu (650) 736-6421 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alan Amesbury Sent: Thursday, October 16, 2014 7:39 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] POODLE: SSLv3.0 vulnerability (CVE-2014-3566) On Oct 15, 2014, at 11:44 , Paul Howell <phowell () internet2 edu> wrote:
Given the large deployment of perfSONAR in our environments, I wanted to share the following.
While probably useless to those studying veterinary medicine, there's a poodle prober publicly available: https://github.com/jeffmurphy/poodle-prober/blob/master/sslv3check.py -- Alan Amesbury University Information Security
Current thread:
- Fwd: POODLE: SSLv3.0 vulnerability (CVE-2014-3566) Paul Howell (Oct 15)
- Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566) Alan Amesbury (Oct 16)
- Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566) Keller, Alex (Oct 16)
- Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566) Alan Amesbury (Oct 16)