SSL/TLS issues - POODLE/BEAST/SWEET32 attacks and the End of SSLv3 + OpenSSL Security Advisory

This information is only available in English. If you need support concerning the following vulnerabilities, please contact iWeb Technical Support: http://iweb.com/contact

This article describes some known issues with SSL/TLS and OpenSSL, and also discusses the POODLE BEAST and SWEET32 attack vulnerabilities.

What are SSL (Secure Sockets Layer) and TLS (Transport Layer Security)?

SSL and its successor TLS are cryptographic protocols that provide secure communications over computer networks.

Here are 6 protocols in the SSL/TLS family:
- SSLv2: prohibited from use by the Internet Engineering Task Force (rfc6176)
- SSLv3: deprecated - not sufficiently secure (rfc7568)
- TLS1.0: considered insecure (vulnerable to the BEAST attack). Shouldn't be used. No longer acceptable for PCI Compliance (June 2018).
- TLS1.1: does not have known security issues, but does not provide modern cipher-suites (rfc5246#section-1.2)
- TLS1.2: does not have known security issues, and offers modern authenticated encryption (AEAD-based).
- TLS1.3: Since August 2018, the Internet Engineering Task Force released TLS 1.3 which removes many of the problematic options of previous TLS versions and only includes support for algorithms with no known vulnerabilities. It should be the main protocol used today.


What is a Cypher Suite?

A cipher suite is a set of cryptographic algorithms used during SSL or TLS sessions to secure network connections between the client and the server.

The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a Message Authentication Code (MAC) algorithm.

Some ciphers must be avoided:
- RC4: see CVE-2015-2808. Prohibited from use by the Internet Engineering Task (rfc7465)

- 64-bit block ciphers when used in CBC mode:
DES CBC: see CVE-2016-2183. Removed from TLS 1.2 (rfc5246)
IDEA CBC: considered insecure. Removed from TLS 1.2 (rfc5246)
3DES EDE CBC: see CVE-2016-2183 (also known as SWEET32 attack).
RC2 CBC: considered insecure. see CVE-2016-2183.

- DH (Diffie–Hellman key exchange smaller than 1024-bit) or DHE_EXPORT cipher suites: see CVE-2015-4000
- RSA_EXPORT cipher suites: see CVE-2015-0204
- NULL cipher suites since they provide no encryption.


What is OpenSSL?

OpenSSL is a software library toolkit licensed under an Apache-style license for implementation of the SSL and TLS protocols.
The OpenSSL Community releases patches to fix identified vulnerabilities.
i.e CVE-2014-3513 [High severity]: https://www.openssl.org/news/secadv_20141015.txt
OpenSSL security advisory are available at the following link: https://www.openssl.org/news/vulnerabilities.html


POODLE attack vulnerability

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption", CVE-2014-3566) is a man-in-the-middle (MITM) exploit which allows a hacker to decrypt select content within the SSL session.

Variations of the POODLE vulnerability affects TLS because an active MITM attacker can force a browser to downgrade the session down to SSLv3, which can then be exploited.


BEAST attack vulnerability

The BEAST attack, reported as CVE-2011-3389, exploits a weakness in SSL/TLS cipher-block chaining (CBC), allowing a man-in-the-middle attacker to recover certain session information, such as cookie data, from what should be a secure connection.


SWEET32 attack vulnerability

The SWEET32 attack (assigned as CVE-2016-2183) exploits a collision attack in SSL/TLS protocol supporting cipher suites which use 64-bit block ciphers to extract plain text of the encrypted data, when CBC mode of encryption is used.



Is my Server Vulnerable to POODLE / SWEET32 / BEAST?

Here is an online tool to test your website for various SSL/TLS vulnerabilities, including POODLE:

https://www.ssllabs.com/ssltest/

If your website is vulnerable, the online report will provide you with a report listing the SSL/TLS vulnerabilities:

 

1.txt


Alternatively, you can list all the cipher suites supported by your web server service by using the following command as root:
# nmap -Pn --script ssl-enum-ciphers -p 443 <Your-server-IP>

Output sample:

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Ciphersuite uses MD5 for message integrity
| Weak certificate signature: SHA1
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
| Weak certificate signature: SHA1
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
| Weak certificate signature: SHA1
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
| Weak certificate signature: SHA1
|_ least strength: C

 

Resolution

To protect your server against POODLE/BEAST/SWEET32, SSLv3 and TLS1.0 must be disabled, and the cipher suites used by your various services (e.g. web, email, etc.) must be configured properly.

Additional testing to verify the security of the OpenSSL version used on your server must be performed.

Securing your server against SSL vulnerabilities might result in compatibility issues with older software. For example, after updating and securing your server, visitors to your website using older versions of Internet Explorer may not be able to view your website. Take the time to evaluate potential impacts to your users before applying changes.

Some popular ways of doing this are:

1) Having a second environment (i.e. staging environment) that is identical to your production environment where you can safely test changes first

2) Planning maintenance windows where you can apply changes to your live production environment and roll them back if an issue occurs

The following articles provides technical details for common products:

WHM/cPanel:
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

Plesk:
https://support.plesk.com/hc/en-us/articles/115003001465-How-to-modify-SSL-protocols-and-SSL-Cipher-suite-in-Plesk
https://support.plesk.com/hc/en-us/articles/115000422229-How-to-enable-disable-particular-TLS-version-in-Plesk-on-Linux-
https://support.plesk.com/hc/en-us/articles/115002736754-How-to-disable-TLS-1-0-support-for-POP3-and-IMAP

Microsoft Windows Server:
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
ADFS: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

VMware:
https://kb.vmware.com/s/article/2147469

More products:
http://disablessl3.com/


External references:

https://www.openssl.org/~bodo/ssl-poodle.pdf
https://www.us-cert.gov/ncas/alerts/TA14-290A
https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/
https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/
https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices  (https://www.ssllabs.com/projects/best-practices/)
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
https://msdn.microsoft.com/en-gb/library/windows/desktop/aa374757(v=vs.85).aspx
https://blogs.vmware.com/security/2014/10/cve-2014-3566-aka-poodle.html
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
https://www.ietf.org/blog/tls13/

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk