POODLE, a critical SSL flaw previosly discovered in October which was patched and fixed by webmasters around the world after Google alerted software and hardware vendors, has again made its way and this time its a New Critical POODLE Vulnerability in TLS which the vulnerability affects.
Yes, the serious POODLE vulnerability that affected the most widely used web encryption standard Secure Sockets Layer (SSL) 3.0 has once again returned and is likely to affect some of the most popular web sites in the world — including those owned or operated by Bank of America, the US Department of Veteran’s Affairs, and Accenture.
The new attack vector exploits the same class of problem as POODLE: an error in the handling of padding. Qualys reckons the new attack, which works on TLS 1.2, is possible because while TLS has much stricter padding requirements than SSL 3 (which was the target for POODLE), “some TLS implementations omit to check the padding structure after decryption”.
Not only that, but because the client is allowed to use TLS, there’s no need for an attacker to try and force the target to fall back to SSL 3 (which, by the way, you should have eliminated entirely and forever from your network by now).
Researchers at security firm Qualys says, “some TLS implementations omit to check the padding structure after decryption.”
“The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute–no need to downgrade modern clients down to SSL 3 first, TLS 1.2 will do just fine,” Ivan Ristic, Qualys’s director of application security research, wrote in a blog post titled POODLE bites TLS.
“The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack. A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical.”
Till now, load balancers and similar devices which are used to handle the TLS connections sold by two different manufacturers, F5 Networks and A10 Networks, are found vulnerable to the attack. Basically, the recent versions of TLS calls for the encryption padding to be closely checked for Oracle attacks, which was skipped by both the companies during implementation, which makes them vulnerable to POODLE attacks.