Firefox poodle vulnerability

Similar Messages

• POODLE Vulnerability and AMS configuration in Adapator.xml

  Hi,
  I am looking for some recommendation and guidance on how to ban AMS from using SSlV3 in with RTMPS clients. I know about that there's a configuration in Adaptor.xml called
  "SSLCipherSuite" which should be able to somehow prevent a specific protocol, but the Adobe documentation recommends contacting with Adobe before changing that configuration.
  So I was wondering if Adobe has any official recommendation to prevent RTMPS client from using SSLV3. Could someone please point me to the right direction?
  Thanks
  -Irtiza

  When will it be released?
  I can not comment on that...
  How will it support older browsers?
  Well most likely it will disable SSLv3 support from within the application. So you will not need to change anything in AMS ocnfiguration.
  All browsers which work on TLS 1.0 and higher will continue to work as they were working till now.
  Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection  and you will not be exposed to SSLv3 attack.
  Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS.
  That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..
  The steps to compile openssl for AMS are available in public domain..please google and compile openssl for yourself and drop that openssl in your AMS installation.
  Openssl consists of two files libeay32.dll and ssleay32.dll on windows  AND libssl.so.1.0.0 and libcrypto.so.1.0.0 on Linux...

• Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)

  Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
  We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
  Now, OWA works fine, and users are able to connect via the Web.
  Internally, users are also able to connect with Outlook 2010/2013.
  however, users are not able to connect via Outlook from outside (Outlook anywhere)
  In the event viewer you get an error:
  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
  I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
  Anybody has seen this issue as well?

  Hi Max
  could you provide the steps to turn off SSLv3 . Is it from the registry
  http://support.microsoft.com/kb/187498 ?
  Mat A
  Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  "Enabled"=dword:00000000
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability for Smart Switch SG200-26 26 Port

  Hi,
  I am having a SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability on my Smart Switch SG200-26 26Port. Does anyone know how to solve this vulnerability?

  Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
  https://tools.cisco.com/bugsearch/bug/CSCur27131

• POODLE vulnerability - ASA 5520

  Hi
  I would like to know if my firewalls ASA 5520 (Cisco Adaptive Security Appliance Version 8.4(6), 8.2(1)) are vulnerables to the Poodle vulnerability.
  Which workaround should i do??? it would have any impact in my VPN or servers DMZ????
  Thanks...

  Hi ,
  Both these  ASA versions are vulnerable 
  Conditions:
  The default configuration of SSL on all versions of the ASA enables SSLv3.
  Due to CSCug51375, the ASA is unable to disable SSLv3 on ASA v9.0.x and v9.1.1.x.
  To see the SSL configuration:
  show run all ssl
  Default configuration of the ASA:
  ssl client-version any
  ssl server-version any
  The following non-default configuration values also enable SSLv3:
  ssl client-version sslv3-only
  ssl client-version salve
  ssl server-version sslv3-only
  ssl server-version sslv3
  The following versions are vulnerable regardless of ssl configuration:
  * 9.0.x
  * 9.1.1.x
  Workaround:
  Disable SSLv3, write the changes to the startup-config.
  This workaround only applies to the following versions:
  * 7.x and later
  * 8.2 and later
  * 8.3 and later
  * 8.4 and later
  * 8.5 and later
  * 8.6 and later
  * 8.7 and later
  * 9.1.2 and later (with CSCug51375 fix)
  * 9.2.1 and later (with CSCug51375 fix)
  * 9.3.1 and later
  Use the following config-mode commands:
  ssl server-version tlsv1
  ssl client-version tlsv1-only
  There is no need to reboot. The configuration must be saved via "write memory".
  Here is the bug details CSCur23709
  Known fixed ASA versions 9.0(4.201) ,9.2(2.103),9.3(1.1)
  Thanks,
  Prashant Joshi

• SSLv3 Poodle vulnerability

  Does anyone have any more info on the SSLv3 Poodle vulnerability in that are any of the Cisco switches, in particular the ACE load balancer (If they do SSL offloading) vulnerable to this?
  http://www.wired.com/2014/10/poodle-explained/
  If so, if there a way to disable SSLv3?

  To disable SSLv3, do something like this:
  parameter-map type ssl PARAMMAP_SSL
    cipher RSA_WITH_3DES_EDE_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA priority 2
    cipher RSA_WITH_AES_256_CBC_SHA priority 3
    version TLS1
  ssl-proxy service SSL_PSERVICE_SERVER
    ssl advanced-options PARAMMAP_SSL
  (Omitted all the other important, but not to this exact solution, stuff in the ssl-proxy config)

• [CVE-2014-3566] SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

  Cisco is aware of the reported vulnerability and is currently investigating this report.  Cisco is evaluating products to determine their exposure to this vulnerability.
  Cisco has issued an official PSIRT notice for the SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
  Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
  SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
  Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
  http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html 
  This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
  http://www.cisco.com/go/psirt

  Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
  https://tools.cisco.com/bugsearch/bug/CSCur27131

• Disabling SSL v3 in OAS10gR1 (9.0.4) to address Poodle vulnerability?

  Has anyone been able to get OAS10gR1 (9.0.4) to recognize a protocol other than SSLv3 – such as TLS? We know that this version of the OAS supports SSLv3 primarily – but we are attempting to address the SSLv3 Poodle Vulnerability. Any advice where this is concerned would be appreciated.

  Hi ,
  The version OAS10gR1(9.0.4) is de-supported since 31st-Dec-2008 and as this relates to security we would require you to upgrade to the latest version which is 11g and the apply the latest CPU patches.
  If the same issue still exists even after upgrade and applying the latest CPU patches request you Open and SR with Support.
  Regards,
  Prakash.

• Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)

  Hi all,
  Another day, another vulnerability. Feel like we are swimming against the tide.
  Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
  In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
  Look forward to the responses.
  Cheers
  Chris

  Hi All,
  This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
  There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
  Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
  However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
  Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
  Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html

• How to disable SSL v3 for sun os 5.6 (OAS 4.0.8), I am facing POODLE vulnerability issue?

  my Website is hosted on Sun OS 5.06 (OAS 4.0.8) and using web server : Oracle_Web_Listener/4.0.8. Website is configured to use https for secure pages and it was working fine from last 10 years but suddenly i am getting complaints from my customers that they can not browse site on chrome version 40 and above and firefox 34 and above.
  I searched for this issue and found that there is POODLE attack which may causing this issue. now the only solution i can see is to disable SSL v3 on server.
  Can any help me out with the process or an idea, How to disable SSL V3 on this Olde server? its sun microsystem server.

  Hi Aamir,
     This is old software, been a while since I saw one of these.
      Normally when SSL was setup there were two listeners, one with SSL and one without, in a different port, so you could try to find this second port, which may work without any need to change the configuration.
      Else, try to check on the OAS manager (Usually on port 8888), the HTTP listener -> WWW -> Network, if there is a setup only for the SSL port, you will need to add a new line, with the same configuration, but a different port and the security disabled.
      Also, there may be some setting on the application itself for the url path. If so, when you navigate in the application it will try to redirect you back to the SSL port. In that case you will need to figure out where to change that, which depend on the application itself.
     Found this page on google with the process to setup SSL on OAS 4.0, you need to do the inverse of step 5.
  WoSign Support: SSL Certificates Installation Instruction - Oracle Web Server (OAS 4.0.8)
  Regards,
  Luis

• RRAS, SSTP and POODLE Vulnerability

  Is the RRAS implementation of a SSTP VPN vulnerable to Poodle attacks?

  Hi,
  I can't find any document about the vulnerability of SSTP.
  Based on my research, the POODLE attack is a man-in-the-middle exploit which takes advantage of a clients' fallback to SSL 3.0. To mitigate POODLE attack, one way is to completely disable SSL 3.0 on the client side and the server side.
  To disable SSL 3.0 on Windows, please modify the registry below.
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
  Important: Please back up the registry before you modify it. Then, you can restore the registry if a problem occurs. 
  How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
  https://support.microsoft.com/kb/245030?wa=wsignin1.0
  Best Regards.
  Steven Lee
  TechNet Community Support

• POODLE vulnerability

  Hi,
  I'm getting this threatening message from our admin (see below). I know this is being investigated (http://www.blackberry.com/btsc/KB36397), but they will throw my phone off the network in two days. Are there know workarounds? Why is the port 443 open anyway?
  anze
  System Name/IP : XX
  MAC Address : a4e4b80ef72b
  Owner/Admin : XX
  Last Scanned : 2014-11-04 09:58:07
  You are being contacted because you are listed as the admin/owner
  of the above system.
  ** At least one high or medium risk vulnerability remains on this system,
  and must accounted for before 2014-11-12! **
  Remediation will generally involve a combination of two approaches:
  1) Addressing the problem directly (e.g. apply vendor patches,
  disabling unnecessary services, etc.). Or,
  2) If a vulnerability cannot be remediated for any reason, an
  exception will have to be made. When you mark an exception
  you will have to provide a justification as well as a category
  (false positive, operational need, not correctable, etc.)
  ** Note that all exceptions/justifications will be audited! **
  Note that you will need to re-scan the system after you take any
  of the above remediation actions, to confirm the results.
  If nothing is done, this system will be queued to be blocked at
  9 am on 2014-11-12. Once queued, the only way to release the
  system will be to call the ITD Help Desk at x5522.
  This is the 2nd notice (the original notice was sent on 2014-11-05).
  [1] Service: www (443/tcp), Risk: MEDIUM, ID: 78479
  Synopsis :
  It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
  Description :
  The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
  As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the client and service.
  The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients
  however, it can only protect connections when the client and service support the mechanism. Sites that cannot disable SSLv3 immediately should enable this mechanism.
  This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is the only way to completely mitigate the vulnerability.
  See also :
  https://www.imperialviolet.org/2014/10/14/poodle.html
  https://www.openssl.org/~bodo/ssl-poodle.pdf
  https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
  Solution :
  Disable SSLv3.
  Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.
  Risk factor :
  Medium / CVSS Base Score : 4.3
  (CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)
  Plugin output :
  Nessus determined that the remote server supports SSLv3 with at least one CBC
  cipher suite, indicating that this server is vulnerable.
  It appears that TLSv1 or newer is supported on the server. However, the
  Fallback SCSV mechanism is not supported, allowing connections to be "rolled
  back" to SSLv3.
  CVE : CVE-2014-3566
  BID : 70574
  Other references : OSVDB:113251,CERT:577193,IAVA:2014-A-0166

  Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
  TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. BlackBerry products use TLS 1.0 or better by default when connecting to websites. 
  Each encrypted connection uses a different key and recovering the plain text of one session does not compromise other sessions.
  This issue is mitigated for all customers by the requirement that an attacker would need to force the server and client to downgrade to the legacy SSLv3 protocol. This would require that the attacker successfully simulate a network or request failure. The attacker would also need to force the encrypted data to contain known plain text unless the attacker can reliably guess a part or all of the plain text. Any attempt to guess plain text data would rely on the data being in the exact same position within the network packets each time and in practice it is unlikely that this will be possible.
  This issue is mitigated for BlackBerry smartphone customers by the requirement that an attacker must first gain at least partial control of the network and of the server. The browser would then need to communicate with the attacker-controlled server over an attacker-controlled network on a repeated basis. If the connection is not compromised or the server is not under the control of the attacker, or if the attacker is unable to cause known data to be sent repeatedly between the server and the client, the SSLv3 weakness cannot be used to recover unencrypted data. The attacker has no way of forcing such a connection to occur.
  Click here to Backup the data on your BlackBerry Device! It's important, and FREE!
  Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
  Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals
  BESAdmin's, please make a signature with your BES environment info.
  SIM Free BlackBerry Unlocking FAQ
  Follow me on Twitter @knottyrope
  Want to thank me? Buy my KnottyRope App here
  BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V

• Patch for Dreamweaver CS5 or 6 from Poodle Vulnerability

  GoDaddy ran a security patch for Poodle and now Dreamweaver can't connect. FTP over SSL/TLS explicit encryption is used. Is there a patch from Adobe for Dreamweaver?

  The perpetual license of CS6 is essentially Adobe's response to those folks who absolutely refuse to switch to the Creative Cloud Subscription plans. It's actually 3 versions (4 if you count Cloud CS6) removed from "current". Even though it's still available for purchase, it hasn't been receiving any updates and is getting further and further behind DWCC as time goes by.
  Adobe has a phone number, you just need to dig...
  Contact Customer Care
  Click Dreamweaver > How-to's and troubleshooting > Troubleshoot > click the big blue Still Need Help button
  That will give you Chat (if available) Phone (region specific) and Forums links

• Stop poodle vulnerability in oracle application server

  Hello guys.
  Our Enterprise is using Oracle Application Server in front of oracle database. we using oracle wallet manager(Installed with Oracle client 10) to create self sign certificates. as you may know wallet manager in v 10 has some limitation in key size or ... (i don't know exactly the limitation and i hope you could help me on it ).
  when we want to issue a certificate at first we create a certificate request with wallet manager and then issue based on certificate in windows server CA.
  now i have some question:
  1- what are the limitation of using wallet manager in V10 to issue the self sign certificate?
  2- is there another way to create self sign certificate without wallet manager V10?(when i try the newest versions oracle application failed to open a certificate)
  3- and my most important question:
  can i stop poodle attack in oracle application? (i red somewhere that poodle attack doesn't apply in TLSV1. so i guess its better to ask my question this way:
  does oracle application server support the TLSV1? )
  i really appreciate any sort of help.
  thank you.

  Hi Muhammad,
  What do you mean with BI?. do you forms & rep servers or discoverer.
  Anyhow you can download BI separately the contents of BI is as following:
  Oracle Business Intelligence Discoverer
  Oracle HTTP Server
  Oracle Application Server Containers for J2EE (OC4J)
  Oracle Enterprise Manager 10g Application Server Control
  Oracle Application Server Web Cache
  Oracle Application Server Reports Services
  Also you can download Forms & report servers separately.
  Regards,
  Hamdy

• Lync 2010 - Poodle vulnerability?

  is the FE or Edge server at risk.?
  thanks
  Eva

  POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server.
  Edge server doesnt provide any Web services so its not the edge server 
  The Lync FE caters to http\https traffic 
  This a Man in middle kind of attack not sure what the hacker will gain my presenting you Lync Meeting page or a Lync dial-in page 
  As a server [administrator], you probably don’t need to panic if your customers are coming in over home connections. Only if they’re coming in over [something like] a Starbucks Wi-Fi
  POODLE  targets the clients.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph