POODLE SSLv3 Protocol CBC Ciphers Information Disclosure Vulnerability Network Vulnerability

Summary

This host is installed with OpenSSL and is prone to information disclosure vulnerability.

Impact

Successful exploitation will allow a man-in-the-middle attackers gain access to the plain text data stream. Impact Level: Application

Solution

Vendor released a patch to address this vulnerabiliy, For updates contact vendor or refer to https://www.openssl.org NOTE: The only correct way to fix POODLE is to disable SSL v3.0

Insight

The flaw is due to the block cipher padding not being deterministic and not covered by the Message Authentication Code

Affected

OpenSSL through 1.0.1i

Detection

Send a SSLv3 request and check the response.

References

http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://osvdb.com/113251
https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-3566
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Adobe Flash Player Multiple Security Bypass Vulnerabilities - 01 Feb14 (Linux)
Apple iTunes Multiple Vulnerabilities - Apr10
Adobe Reader 'SWF' Information Disclosure Vulnerability (Windows)
Apache Traffic Server Remote DNS Cache Poisoning Vulnerability
Adobe Flash Player/Air Multiple Vulnerabilities -feb10 (Linux)

POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability

Take action and discover your vulnerabilities