SSLv3 Poodle vulnerability

Similar Messages

• Sslv3 poodle vulnerability and sharepoint site using https

  Hi
  Is it safe  to run IIS crypto tool and choose
  'FIPS 140-2'  on Sharepoint WFe
  We have one web application accessible to users using HTTPS with a  valid  SSL from CA.

  FIPS 140-2 is not supported by SharePoint and enforcing it will break SharePoint.
  Instead, disable SSLv3 support in IIS.
  https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
  https://support.microsoft.com/kb/187498/
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• CUCM 8.6(2): evaluation of SSLv3 POODLE vulnerability

  Hi,
  As per the bug toolkit CUCM version 8.6(2) is affected by the following bug CSCur23720.
  I tried to check for a COP file to fix this issue but didn't find.
  Please advise .

  Hi
  I would contact TAC to see if they have something for  you - I don't see a specific COP, and there doesn't seem to be a 'fixed-in' 8.x version referenced in the bug report..
  Aaron

• Disabling SSL v3 in OAS10gR1 (9.0.4) to address Poodle vulnerability?

  Has anyone been able to get OAS10gR1 (9.0.4) to recognize a protocol other than SSLv3 – such as TLS? We know that this version of the OAS supports SSLv3 primarily – but we are attempting to address the SSLv3 Poodle Vulnerability. Any advice where this is concerned would be appreciated.

  Hi ,
  The version OAS10gR1(9.0.4) is de-supported since 31st-Dec-2008 and as this relates to security we would require you to upgrade to the latest version which is 11g and the apply the latest CPU patches.
  If the same issue still exists even after upgrade and applying the latest CPU patches request you Open and SR with Support.
  Regards,
  Prakash.

• Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)

  Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
  We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
  Now, OWA works fine, and users are able to connect via the Web.
  Internally, users are also able to connect with Outlook 2010/2013.
  however, users are not able to connect via Outlook from outside (Outlook anywhere)
  In the event viewer you get an error:
  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
  I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
  Anybody has seen this issue as well?

  Hi Max
  could you provide the steps to turn off SSLv3 . Is it from the registry
  http://support.microsoft.com/kb/187498 ?
  Mat A
  Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  "Enabled"=dword:00000000
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• POODLE Vulnerability and AMS configuration in Adapator.xml

  Hi,
  I am looking for some recommendation and guidance on how to ban AMS from using SSlV3 in with RTMPS clients. I know about that there's a configuration in Adaptor.xml called
  "SSLCipherSuite" which should be able to somehow prevent a specific protocol, but the Adobe documentation recommends contacting with Adobe before changing that configuration.
  So I was wondering if Adobe has any official recommendation to prevent RTMPS client from using SSLV3. Could someone please point me to the right direction?
  Thanks
  -Irtiza

  When will it be released?
  I can not comment on that...
  How will it support older browsers?
  Well most likely it will disable SSLv3 support from within the application. So you will not need to change anything in AMS ocnfiguration.
  All browsers which work on TLS 1.0 and higher will continue to work as they were working till now.
  Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection  and you will not be exposed to SSLv3 attack.
  Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS.
  That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..
  The steps to compile openssl for AMS are available in public domain..please google and compile openssl for yourself and drop that openssl in your AMS installation.
  Openssl consists of two files libeay32.dll and ssleay32.dll on windows  AND libssl.so.1.0.0 and libcrypto.so.1.0.0 on Linux...

• POODLE vulnerability - ASA 5520

  Hi
  I would like to know if my firewalls ASA 5520 (Cisco Adaptive Security Appliance Version 8.4(6), 8.2(1)) are vulnerables to the Poodle vulnerability.
  Which workaround should i do??? it would have any impact in my VPN or servers DMZ????
  Thanks...

  Hi ,
  Both these  ASA versions are vulnerable 
  Conditions:
  The default configuration of SSL on all versions of the ASA enables SSLv3.
  Due to CSCug51375, the ASA is unable to disable SSLv3 on ASA v9.0.x and v9.1.1.x.
  To see the SSL configuration:
  show run all ssl
  Default configuration of the ASA:
  ssl client-version any
  ssl server-version any
  The following non-default configuration values also enable SSLv3:
  ssl client-version sslv3-only
  ssl client-version salve
  ssl server-version sslv3-only
  ssl server-version sslv3
  The following versions are vulnerable regardless of ssl configuration:
  * 9.0.x
  * 9.1.1.x
  Workaround:
  Disable SSLv3, write the changes to the startup-config.
  This workaround only applies to the following versions:
  * 7.x and later
  * 8.2 and later
  * 8.3 and later
  * 8.4 and later
  * 8.5 and later
  * 8.6 and later
  * 8.7 and later
  * 9.1.2 and later (with CSCug51375 fix)
  * 9.2.1 and later (with CSCug51375 fix)
  * 9.3.1 and later
  Use the following config-mode commands:
  ssl server-version tlsv1
  ssl client-version tlsv1-only
  There is no need to reboot. The configuration must be saved via "write memory".
  Here is the bug details CSCur23709
  Known fixed ASA versions 9.0(4.201) ,9.2(2.103),9.3(1.1)
  Thanks,
  Prashant Joshi

• SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability for Smart Switch SG200-26 26 Port

  Hi,
  I am having a SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability on my Smart Switch SG200-26 26Port. Does anyone know how to solve this vulnerability?

  Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
  https://tools.cisco.com/bugsearch/bug/CSCur27131

• [CVE-2014-3566] SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

  Cisco is aware of the reported vulnerability and is currently investigating this report.  Cisco is evaluating products to determine their exposure to this vulnerability.
  Cisco has issued an official PSIRT notice for the SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
  Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
  SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
  Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
  http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html 
  This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
  http://www.cisco.com/go/psirt

  Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
  https://tools.cisco.com/bugsearch/bug/CSCur27131

• Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)

  Hi all,
  Another day, another vulnerability. Feel like we are swimming against the tide.
  Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
  In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
  Look forward to the responses.
  Cheers
  Chris

  Hi All,
  This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
  There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
  Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
  However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
  Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
  Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html

• POODLE vulnerability

  Hi,
  I'm getting this threatening message from our admin (see below). I know this is being investigated (http://www.blackberry.com/btsc/KB36397), but they will throw my phone off the network in two days. Are there know workarounds? Why is the port 443 open anyway?
  anze
  System Name/IP : XX
  MAC Address : a4e4b80ef72b
  Owner/Admin : XX
  Last Scanned : 2014-11-04 09:58:07
  You are being contacted because you are listed as the admin/owner
  of the above system.
  ** At least one high or medium risk vulnerability remains on this system,
  and must accounted for before 2014-11-12! **
  Remediation will generally involve a combination of two approaches:
  1) Addressing the problem directly (e.g. apply vendor patches,
  disabling unnecessary services, etc.). Or,
  2) If a vulnerability cannot be remediated for any reason, an
  exception will have to be made. When you mark an exception
  you will have to provide a justification as well as a category
  (false positive, operational need, not correctable, etc.)
  ** Note that all exceptions/justifications will be audited! **
  Note that you will need to re-scan the system after you take any
  of the above remediation actions, to confirm the results.
  If nothing is done, this system will be queued to be blocked at
  9 am on 2014-11-12. Once queued, the only way to release the
  system will be to call the ITD Help Desk at x5522.
  This is the 2nd notice (the original notice was sent on 2014-11-05).
  [1] Service: www (443/tcp), Risk: MEDIUM, ID: 78479
  Synopsis :
  It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
  Description :
  The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
  As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the client and service.
  The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients
  however, it can only protect connections when the client and service support the mechanism. Sites that cannot disable SSLv3 immediately should enable this mechanism.
  This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is the only way to completely mitigate the vulnerability.
  See also :
  https://www.imperialviolet.org/2014/10/14/poodle.html
  https://www.openssl.org/~bodo/ssl-poodle.pdf
  https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
  Solution :
  Disable SSLv3.
  Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.
  Risk factor :
  Medium / CVSS Base Score : 4.3
  (CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)
  Plugin output :
  Nessus determined that the remote server supports SSLv3 with at least one CBC
  cipher suite, indicating that this server is vulnerable.
  It appears that TLSv1 or newer is supported on the server. However, the
  Fallback SCSV mechanism is not supported, allowing connections to be "rolled
  back" to SSLv3.
  CVE : CVE-2014-3566
  BID : 70574
  Other references : OSVDB:113251,CERT:577193,IAVA:2014-A-0166

  Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
  TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. BlackBerry products use TLS 1.0 or better by default when connecting to websites. 
  Each encrypted connection uses a different key and recovering the plain text of one session does not compromise other sessions.
  This issue is mitigated for all customers by the requirement that an attacker would need to force the server and client to downgrade to the legacy SSLv3 protocol. This would require that the attacker successfully simulate a network or request failure. The attacker would also need to force the encrypted data to contain known plain text unless the attacker can reliably guess a part or all of the plain text. Any attempt to guess plain text data would rely on the data being in the exact same position within the network packets each time and in practice it is unlikely that this will be possible.
  This issue is mitigated for BlackBerry smartphone customers by the requirement that an attacker must first gain at least partial control of the network and of the server. The browser would then need to communicate with the attacker-controlled server over an attacker-controlled network on a repeated basis. If the connection is not compromised or the server is not under the control of the attacker, or if the attacker is unable to cause known data to be sent repeatedly between the server and the client, the SSLv3 weakness cannot be used to recover unencrypted data. The attacker has no way of forcing such a connection to occur.
  Click here to Backup the data on your BlackBerry Device! It's important, and FREE!
  Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
  Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals
  BESAdmin's, please make a signature with your BES environment info.
  SIM Free BlackBerry Unlocking FAQ
  Follow me on Twitter @knottyrope
  Want to thank me? Buy my KnottyRope App here
  BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V

• MeetingPlace 7.1 SSLv3/Poodle Vulnerablilty

  Hello, Support Community,
  We have MeetingPlace 7.1 on an MCS server.  The server is running the Cisco IOS Image 2003.1.51 and Service Release 25.  This is our conference server located in our DMZ for outside conferencing. 
  I have read the notice at https://tools.cisco.com/bugsearch/bug/CSCur33354/?referring_site=bugquickviewclick. 
  It appears that upgrading is the best option, however  we are looking for a short term security option if one is available as we are  going to be getting ready to upgrade to WebEx in a few months.
  Is there anything else that can be enabled differently, or disabled to secure the server and still provide service to our clients that are coming in for web conferencing from the outside.
  Many thanks in advance for the help!
  Peggy

  Tried this on one of my 4260's and are most recent vulnerability scan is still picking up the IPS as vulnerable to POODLE.
  Given that the IPS is technically supported until 2018, I'm having a hard time convincing the business that they need to upgrade it just yet.
  Was there anything else you needed to do other than what was documented in the link?

• RRAS, SSTP and POODLE Vulnerability

  Is the RRAS implementation of a SSTP VPN vulnerable to Poodle attacks?

  Hi,
  I can't find any document about the vulnerability of SSTP.
  Based on my research, the POODLE attack is a man-in-the-middle exploit which takes advantage of a clients' fallback to SSL 3.0. To mitigate POODLE attack, one way is to completely disable SSL 3.0 on the client side and the server side.
  To disable SSL 3.0 on Windows, please modify the registry below.
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
  Important: Please back up the registry before you modify it. Then, you can restore the registry if a problem occurs. 
  How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
  https://support.microsoft.com/kb/245030?wa=wsignin1.0
  Best Regards.
  Steven Lee
  TechNet Community Support

• Lync 2010 - Poodle vulnerability?

  is the FE or Edge server at risk.?
  thanks
  Eva

  POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server.
  Edge server doesnt provide any Web services so its not the edge server 
  The Lync FE caters to http\https traffic 
  This a Man in middle kind of attack not sure what the hacker will gain my presenting you Lync Meeting page or a Lync dial-in page 
  As a server [administrator], you probably don’t need to panic if your customers are coming in over home connections. Only if they’re coming in over [something like] a Starbucks Wi-Fi
  POODLE  targets the clients.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph

• Firefox poodle vulnerability

  hello i heard the firefox version 34 no longer supported sslv3 but i currently have firefox 34.0.5 and poodletest says i am vulnerable how can i fix my vulnerability?

  ''cor-el [[#answer-669842|said]]''
  <blockquote>
  You can set the security.tls.version.min pref to 1 on the <b>about:config</b> page if the current value is 0.
  You can open the <b>about:config</b> page via the location/address bar.
  You can accept the warning and click "I'll be careful" to continue.
  *http://kb.mozillazine.org/about:config
  * http://kb.mozillazine.org/security.tls.version.*
  0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, 3 means TLS 1.2 etc.
  </blockquote>
  ''cor-el [[#answer-669842|said]]''
  <blockquote>
  You can set the security.tls.version.min pref to 1 on the <b>about:config</b> page if the current value is 0.
  You can open the <b>about:config</b> page via the location/address bar.
  You can accept the warning and click "I'll be careful" to continue.
  *http://kb.mozillazine.org/about:config
  * http://kb.mozillazine.org/security.tls.version.*
  0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, 3 means TLS 1.2 etc.
  </blockquote>
  it still says i am vulnerable