15 October 2014

Do you have a POODLE?

There has been a good deal written about the SSL 3.0 POODLE vulnerability today.  SSL 3.0 is nearly 15 years old and, as it turns out, not very secure.  The most definitive description of the issues with SSL 3.0 was written by Google researchers and can be found here.  The official description of the vulnerability, CVE-2014-3566, is located here. 

While the researchers at Google did a nice job of explaining the risk and suggesting some alternatives (like disabling SSL 3.0), they left determining whether or not your server is vulnerable as an exercise for the reader.  If you manage a single site, you can visit this site from Symantec to run a quick test online. 

However, if you manage an entire data center or a corporate intranet, the problem is a little harder.  Never fear, though, because I used my lunch hour to solve the problem for you.  Take a look at this project.

The first script, ssl3_cipher_check.sh, checks a single target for the presence of SSL 3.0 support.  The results will be similar to the following: 

# ssl3_cipher_check.sh 443
Testing for support of SSL3.0 ciphers...
YES - SSL 3.0 support detected on

The second script, ssl3_scan.sh, allows you to test an entire network range.  Using a network range specified in CIDR notation or a format compatible with nmap, the script detects and checks the standard and alternate ports commonly used for HTTPS on all hosts in the network range.  Results will be similar to the following:

# ./ssl3_scan.sh
Beginning test... please be patient... - SSL3.0 NOT supported - SSL3.0 NOT supported - SSL3.0 NOT supported - SSL3.0 supported - SSL3.0 supported

How you decide to mitigate the risk is on you.  Happy testing!  ;-)

October 20 Update:  Patches are available from OpenSSL.org and are described here.