0

POODLE Bite: Exploiting The SSL 3.0 CVE-2014-3566

Google has recently discovered an exploit in the implementation of SSL V3 protocol which potentially compromise secure connections. It is recommended to system administrators to disable SSL 3.0 on their servers and use TLS 1.1 or 1.2.

This vulnerability does not affect your SSL Certificates so there is no need to renew, reissue, or reinstall any SSL Certificates.

How to disable SSL V3.

Apache:
Edit your SSL virtualhost and make sure it contain below parameter.


SSLProtocol all -SSLv2 -SSLv3

Nginx:
Edit your SSL virtualhost and make sure it contain below parameter.


ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

IIS:


Download DisableSSL3.zip, extract it and install DisableSSL3.reg, reboot server.

Finally make sure you have restarted the web server service so the changes can take effect.

Amazon has also released instructions how to cop with this vulnerability.

http://aws.amazon.com/jp/security/security-bulletins/CVE-2014-3566-advisory/

UPDATE:
Once you disabled SSL V3 you can test your site / server from following tool.

http://poodlebleed.com/

Alternatively you have also verify it via command line.


openssl s_client -connect google.com:443 -ssl3

If there is hadshake failure then SSL V3 is disabled on server.

UPDATE: 10/16/2014

The vulnerability has been fixed in OpenSSL 1.0.1j version, so lets wait for the patches from Debian, RedHat and other Linus distributors.

0

Microsoft Windows Zero-Day Vulnerability CVE-2014-4114

Yesterday a Zero-Day vulnerability was found in all Microsoft Windows operating systems versions which was discovered and announced by iSIGHT Partners in collaboration with Microsoft.

Now as Microsoft has already released patch for it it so everyone is suggested to patch all versions of Windows asap.

More details about the patch can be found at

https://technet.microsoft.com/library/security/ms14-060