Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/8/2019
02:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Zombie 'POODLE' Attack Bred from TLS Flaw

Citrix issues update for encryption weakness dogging the popular security protocol.

Turns out a major design flaw discovered and patched five years ago in the old SSL 3.0 encryption protocol, which exposed secure sessions to the so-called POODLE attack, didn't really die: A researcher has unearthed two new related vulnerabilities in the newer TLS 1.2 crypto protocol.

Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposure Research Team, found vulnerabilities in SSL 3.0's successor, TLS 1.2, that allow for attacks akin to POODLE due to TLS 1.2's continued support for a long-outdated cryptographic method: cipher block-chaining (CBC). The flaws allow man-in-the-middle (MitM) attacks on a user's encrypted Web and VPN sessions.

"Specifically, there are products out there that did not properly remediate the first POODLE issue," says Young, who will detail his findings next month at Black Hat Asia in Singapore. He found the latest flaws while further researching, and then testing, just how an attacker could exploit the original POODLE MitM attack.

Among the affected vendors is Citrix, which is also the first to issue a patch for the flaw (CVE-2019-6485). The bug could allow an attacker to abuse Citrix's Delivery Controller (ADC) network appliance to decrypt TLS traffic.

"At Citrix, the security of our products is paramount and we take all potential vulnerabilities very seriously. In the case of the so-called POODLE attack, we have applied the appropriate patches to mitigate the issue and advised our customers on actions needed to secure their platforms," the company said in a statement given to Dark Reading. "We will continue to vigorously monitor our systems to ensure the integrity of our solutions and provide the highest levels of security for our customers around the world."

Young declined to name other vendors currently working on patches, but he says the products include Web application firewalls, load-balancers, and remote access SSL VPNs.

Young has christened the two new flaws Zombie POODLE and GOLDENDOODLE (CVE). With Zombie Poodle, he was able to revive the POODLE attack in a Citrix load balancer with a tiny tweak to the POODLE attack on some systems that hadn't fully eradicated the outdated crypto methods. GOLDENDOODLE, meanwhile, is a similar attack but with more powerful and rapid crypto-hacking performance. Even if a vendor has fully eradicated the original POODLE flaw, it still could be vulnerable to GOLDENDOODLE attacks, Young warns.

Some 2,000 of the Alexa Top 1 Million websites are vulnerable to Zombie POODLE, with some 1,000 to GOLDENDOODLE as well hundreds still vulnerable to the nearly 5-year-old POODLE, according to findings from Young's online scans.

It's not just small sites that are vulnerable, he says: "It seems to be more prevalent in sites that are spending more money on running websites," such as government agencies and financial institutions that run hardware acceleration systems like Citrix's platforms, he notes.

"This [issue] should have been put to bed four or five years ago," Young says, but some vendors either didn't fully remove support for the older and less secure ciphers or didn't fully patch for the POODLE attack flaw itself. Citrix, for instance, had not fully patched for the original POODLE, he says, leaving it open for the next-generation POODLE attacks.

The core problem, of course, is that HTTPS's underlying protocol (first SSL, now TLS) hasn't been properly purged of old cryptographic methods that are outdated and less secure. Support for these older protocols, mainly to ensure that older legacy browsers and client machines aren't locked out of websites, also leaves websites vulnerable. Like its predecessor, TLS 1.2 is riddled with workarounds and countermeasures for protecting against abuse of the older crypto, such as CBC and RC4.

The new Zombie POODLE and GOLDENDOODLE attacks - like POODLE - allow an attacker to rearrange encrypted blocks of data and, via a side channel, get a peek at plaintext information. The attack works like this: An attacker injects a malicious JavaScript into the victim's browser via code planted on a nonencrypted website the user visits, for example. Once the browser is infected, the attacker can execute a MITM attack, ultimately grabbing the victim's cookies and credentials from the secured Web session.

The First POODLE
The original POODLE flaw (Padding Oracle On Downgraded Legacy Encryption), aka CVE-2014-3566, was initially discovered by researchers at Google. It wasn't easy to execute, and neither is POODLE Zombie or GOLDENDOODLE. That's because attackers must be able to set up a MitM attack on the victim's network or via Wi-Fi.

"Every attack has to be rather targeted, and there are a lot of moving parts," Young says. "From the attacker's perspective, you have to know who you are targeting and what kind of system they are running so you can predict where the sensitive material is you are trying to steal. The goal of this attack is to steal an authentication cookie."

An attacker could gain access to the victim's SSL VPN and ultimately pose as that victim on the organization's VPN and move around the network, for example. That would require the attacker on via a public Wi-Fi network to employ ARP spoofing or trick the user's client machine or phone to a phony Wi-Fi hotspot where the attacker then could discern the victim's authentication cookie for his or her VPN session.

Young says it's not likely the POODLE family of attacks are being exploited by cybercriminals, but even so, these attacks would be difficult to detect. Servers don't typically log for this type of activity, for example, he notes.

GOLDENDOODLE kicks it up a notch and executes the POODLE attack at a faster and more efficient rate, he explains. Why the seemingly silly name? It actually retrieves the key intel it needs: "[It's] deterministic such that the attacker is able to test whether the byte being decrypted has a specific value," Young explains.

Go TLS 1.3
The long-term fix for POODLE-based attacks is adoption of the latest version of the TLS encryption protocol, TLS 1.3, which deleted the older crypto methods like CBC rather than including confusing and easily misconfigured workarounds. "It takes away all nonauthenticated ciphers" so attacks like POODLE and its successors can't be executed, Young says.

While TLS 1.3 is available in popular browsers and networking products, website operators have been slow to deploy it mainly out of fear that the move will inadvertently "break" something.

Meantime, organizations not quite ready to go full TLS 1.3 just yet can disable all CBC encryption suites in their TLS 1.2-based systems to protect themselves from the new attacks. Young says his recent scans are showing some organizations he contacted about their sites' vulnerabilities to the POODLE family are now all clear:  "I have ... noticed some websites that are able to remediate the flaw without disabling CBC or patching," but it's not clear what workarounds they employed, he says.

The challenge is that larger websites often must support older Web browsers, Android devices, and Windows systems connecting to them. "While I'd like these businesses to disable CBC ciphers, it would probably create business issues for them" if older client systems couldn't reach their sites, he says.

At Black Hat Asia, Young plans to release the scanning tool he created for his research for vendors and security experts to test Zombie POODLE and GOLDENDOODLE attacks. Tripwire's IP360 scanner also detects the flaws, he notes.

Meantime, researchers at NCC Group today published new research on an attack that would downgrade TLS1.3 to the older, more vulnerable versions.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ludovic_rembert
50%
50%
ludovic_rembert,
User Rank: Apprentice
4/29/2019 | 7:25:40 AM
TLS's list of vulnerabilities grows longer still
We saw a very similar vulnerability to the POODLE attack in recent changes to TLS 1.2 / 1.3, which ALSO allowed for MITM attacks on certain VPNs - https://www.thesslstore.com/blog/tls-pinning-in-mobile-apps/. It's unclear from Kelly's article here which VPN services were affected here by the POODLE attack, but in the case of Schneier's TLS pinning expose, we saw that market leaders like TunnelBear and others were affect.

It feels to me as if TLS is 'trying to make up for lost time', ie they've long been second in the cetificate security race to SSL. Now they are releasing new versions of the protocol, only to find that they are not secure. 
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.