Dealing with the POODLE SSLv3 vulnerability

October 23, 2014, update:

IIA continues to monitor the POODLE SSLv3 vulnerability situation and is not aware of any widespread exploitation of this vulnerability. ITS enterprise systems are being reviewed and mitigated in a deliberate manner to avoid potential negative impact on service availability.

Initially, attackers will most likely target users of unencrypted wireless networks. Individuals should use secure wireless networks such as MWireless. The U-M VPN also provides a secure Internet connection if use of unencrypted wireless, such as MGuest or a hotel network, is necessary.

It is important to note that not all services that support SSLv3 are vulnerable to the POODLE attack. Services that use non-CBC mode ciphers for SSLv3 cannot be exploited in that manner.


October 15, 2014

This information is intended for U-M IT staff who are responsible for maintaining and running university servers.

Background

Google researchers have announced discovery of a vulnerability, which is being called POODLE, in SSLv3. SSL (Secure Sockets Layer) is a protocol for encrypting information over the Internet. Version 3 of SSL is 15 years old, but it is still used by some older web browsers when connecting to web pages.

Threats

As of 4:00 p.m., October 15,2014, IIA is not aware of any active exploitation of this vulnerability.

Recommendations

IIA recommends that U-M units:

  • See if SSLv3 or other insecure protocols are enabled. Use the http://ssllabs.com service to check the SSL configuration on unit servers.
  • Disable SSLv3 and any other insecure protocols. Consider using this guidance provided by SANS: POODLE: Turning off SSLv3 for various servers and client. 
    NOTE: Please be aware of the potential negative impact of these actions. For a web server, disabling SSLv3 may cause older web browsers, such as IE6 on Windows XP, to be incompatible with the web server.
  • Test any changes before implementing them in a production environment.

Next Steps

IIA is continuing to evaluate the threat to U-M systems and data and may share additional recommendations as a result of this analysis.

References

See these resources for more information about the SSLv3 vulnerability: