Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

      "So far, load balancers and similar devices sold by two
       different manufacturers have been identified as vulnerable.
       The makers are F5 and A10."

F5?

A10?

WTF?  Who are those companies?

       "Although recent versions of TLS calls for the encryption  
        padding to be closely checked for so-called Oracle attacks,
        the companies' implementations skip this step, making them
        vulnerable to POODLE-style exploits."

Of course they skipped the Oracle-attack check (what-ever the hell that
is).  Their hardware skips that check because the US gov't / NSA told
them to design their equipment to skip the checks.

        "F5 has issued an advisory detailing precisely which products
         are vulnerable and showing how they can be patched. The  
         status of a fix from A10 wasn't immediately known."

Again, who the fuck are "F5" and "A10" ?

=======================================================================

Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

Dec 9, 2014

Some of the world's leading websites—including those owned or operated
by Bank of America, VMware, the US Department of Veteran's Affairs, and
business consultancy Accenture—are vulnerable to simple attacks that
bypass the transport layer security encryption designed to thwart
eavesdroppers and spoofers.

The attacks are a variation on the so-called POODLE exploits disclosed
two months ago against secure sockets layer (SSL), an encryption
protocol similar to transport layer security (TLS). Short for "Padding
Oracle On Downgraded Legacy Encryption," POODLE allowed attackers
monitoring Wi-Fi hotspots and other unsecured Internet connections to
decrypt HTTPS traffic encrypted by the ancient SSL version 3. Browser
makers quickly responded by limiting or eliminating use of SSLv3, a move
that appears to have averted widespread exploitation of the bug.

On Monday, word emerged that there's a variation on the POODLE attack
that works against widely used implementations of TLS. At the time this
post was being prepared, SSL Server Test, a free service provided by
security firm Qualys, showed that some of the Internet's top
websites—again, a list including Bank of America, VMware, the US
Department of Veteran's Affairs, and Accenture—are susceptible. The
vulnerability was serious enough to earn all sites found to be affected
a failing grade by the Qualys service.

http://cdn.arstechnica.net/wp-content/uploads/2014/12/bofa-results.jpg

Stealing cookies, one crumb at a time

As concerning as POODLE was to security professionals, it required
attackers to follow several steps that could often prove difficult in
real-world environments. Attackers had to spoof packets sent between
websites and end users to force them to use SSLv3. It also required
attackers to slightly modify transactions thousands of times until they
could successfully guess the contents of encrypted payloads, one
character at a time. By using the padding oracle to deduce the contents
of the payloads, attackers could obtain authentication cookies or
security tokens used to gain access to user accounts or other restricted
sections of a vulnerable website. The newly disclosed attack against TLS
is similar, except that it's slightly less demanding to carry out.

"The impact of this problem is similar to that of POODLE, with the
attack being slightly easier to execute — no need to downgrade modern
clients down to SSL 3 first, TLS 1.2 will do just fine," Ivan Ristic,
Qualys's director of application security research, wrote in a blog post
titled POODLE bites TLS. "The main target are browsers, because the
attacker must inject malicious JavaScript to initiate the attack. A
successful attack will use about 256 requests to uncover one cookie
character, or only 4096 requests for a 16-character cookie. This makes
the attack quite practical."

So far, load balancers and similar devices sold by two different
manufacturers have been identified as vulnerable. The makers are F5 and
A10. Although recent versions of TLS calls for the encryption padding to
be closely checked for so-called Oracle attacks, the companies'
implementations skip this step, making them vulnerable to POODLE-style
exploits. F5 has issued an advisory detailing precisely which products
are vulnerable and showing how they can be patched. The status of a fix
from A10 wasn't immediately known.

According to Ristic, about one in 10 websites are vulnerable to the new
POODLE attack for TLS. That means 10 percent of sites are vulnerable to
man-in-the-middle attacks that face a reasonable chance of success
bypassing Web encryption. Users are invited to use the Qualys service to
identify other high-profile sites that are vulnerable. Administrators
should waste no time ensuring their sites aren't affected.

http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-crypto-bites-10-percent-of-websites

Re: Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

Virus Guy presented the following explanation :
Quoted text here. Click to load it

a10networks.com
f5.com



Re: Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

On Tue, 09 Dec 2014 11:18:09 -0500, FromTheRafters wrote:

Quoted text here. Click to load it

Apparently Google doesn't run on Win98. :-)

Thane

Re: Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

Thane has brought this to us :
Quoted text here. Click to load it

I considered LMGTFY but that's too lame these days. It sure was a hoot  
when it first came out.



Re: Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

On Tue, 09 Dec 2014 18:15:37 -0500, FromTheRafters wrote:

Quoted text here. Click to load it

Still works though!

:-)

Thane

Re: Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

On Tuesday, December 9, 2014 10:43:49 PM UTC+8, Virus Guy wrote:
Quoted text here. Click to load it
  
Only a Google search away... "F5 Networks, Inc. is a multinational American
 company which specializes in Application Delivery Networking (ADN) technol
ogy that optimizes the delivery of network"  "High-performance Application  
Delivery Controllers, DDoS protection, DoS attack mitigation, and network l
oad balancing solutions by A10 Networks."  

RL

Site Timeline