POODLE Bites Again: New POODLE Attacks Impact Some TLS

Who let the dog out, again?

Earlier this year, it was revealed that hackers could force a downgrade of encrypted connections to the outdated and exploitable SSL 3.0 protocol using an attack technique dubbed POODLE (Padded Oracle Downgraded Legacy Encryption). Although the threat is extremely serious, the ability to read encrypted communication, the solution is simple. If either the browser or the server disables SSL 3.0 the attack can’t succeed.

Unfortunately, a new variant of the POODLE attack may affect some TLS implementations because of a similar issue reported earlier this year with SSL 3.0. If exploited, hackers may be able to read encrypted communications as plain text. After SSL 3.0, the standard encryption protocols for secure client/server communication were renamed TLS (Transport Layer Security). The current version is TLS 1.2, but browsers also support TLS 1.0 and 1.1.

This new threat is more limited than the original POODLE bug scare. It has been identified as being present when using F5 and A10 load balancers. According to security vendor Qualys, about 10 percent of servers they monitor are vulnerable to POODLE attacks through TLS.

Most vendors are supplying a patch to address this problem. Web Server administrators should check with the vendors for the web servers and load balancers to obtain an update.

If a hacker can read encrypted communication they have obtained the proverbial keys to the kingdom, so this needs to be addressed with extreme urgency.