POODLE Attack Mitigation for the Celestix Appliance Platform

Introduction

Recently, researchers at Google discovered a serious vulnerability in the SSL 3.0 protocol. When successfully exploited, this vulnerability allows an attacker to obtain sensitive information that is secured by it. SSL 3.0 is an old, outdated protocol that is not commonly used today. However, SSL 3.0 is still widely implemented and supported in most SSL software packages for backward compatibility for legacy applications. Since the attack leverages protocol downgrade from secure versions of TLS, many organizations could be at risk.

After the vulnerability was announced, Microsoft released security advisory 3009008. The security advisory includes information about mitigating factors and guidance for implementing workarounds to mitigate this vulnerability. As noted in the advisory, SSL 3.0 is only vulnerable to the POODLE attack when used in conjunction with cipher suites that support Cipher Block Chaining (CBC). However, stream ciphers present their own risk, so disabling the use of CBC is not recommended by Celestix.

Recommendations

For the highest level of protection for our customers, Celestix recommends that the use of SSL 3.0 be discontinued entirely across our appliance platform. This includes the MSA, WSA, and E-Series. Since all of our platforms are Windows-based, disabling SSL 3.0 is as simple as adding an entry in the registry. To do this, open the registry editor and navigate to HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 3.0. If this key is missing, create it. Next, create a new key beneath the SSL 3.0 key called Server. Under this key create a DWORD value called Enabled set to 0. A server restart will be required for this change to take effect.

 

poodle bug blog POODLE Attack Mitigation for the Celestix Appliance Platform

Optionally you can disable SSL 3.0 by executing the following PowerShell commands from an elevated PowerShell window.

New-Item -Path “HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server” –Force

New-ItemProperty –Path “HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server” -PropertyType dword -Value 0 -Name Enabled

Compatibility

Customers are encouraged to conduct thorough testing with their clients in this scenario, as disabling SSL 3.0 may break some legacy applications. Although there are very few uses cases that require SSL 3.0, the most common will be outdated, unsupported clients such as Internet Explorer 6 on Windows XP. In some cases there may be additional client-side configuration required to enable support for TLS.

 

For further information, call us at +1 (510) 668 0700 or email us at info@celestix.com.