DBSA:2014-0015

From Digibase Knowledge Base
Revision as of 21:05, 18 October 2014 by Kradorex Xeron (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - SSL 3.0 Vulnerable - Discontinue Use Immediately

Keywords: SSL, Encryption, Secure Sockets Layer, Firefox, Internet Explorer, Chrome

DBSA ID: 2014-0015

Regarding: SSL 3.0 Vulnerable - Discontinue Use Immediately

Writeup: Kradorex Xeron (talk) 20:45, 18 October 2014 (EDT)

Date: 2014 10 18

Last Modified: 20141018210532 by Kradorex Xeron

Who should take note: Everyone

Classification

Priority: HIGH

Rationale: SSL 3.0 usage must be discontinued immediately due to plaintext recovery vulnerability

Severity: HIGH

Rationale: Confidential data could potentially be disclosed.

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: All platforms and all network-connected systems that deploy SSL 3.0 are vulnerable.

Description

Secure Sockets Layer Version 3.0 (SSL 3.0) is an encryption method utilized by various software and services to ensure data delivery is secure against interception. Recently a vulnerability has been disclosed in SSL 3.0 whereas it is possible to recover the clear "in the open" information being transmitted over an encrypted session. There is a secondary element where a "Man In The Middle" (MITM) attacker could trick a browser into downgrading from a more secure TLS (Transport Layer Security) session into the vulnerable SSL suite. The TLS versions have lesser version numbers but are more modern and secure than any SSL version.

Mitigation/Solution

Users are advised to upgrade their software as updates are released, in the meantime it is recommended to disable SSL usage and only accept TLS connections. Be cautious when utilizing a SSL session, perhaps discontinuing usage of these services until they offer TLS. Users may utilize the link in the References section to detect if they are vulnerable to the downgrade attack and to test during implementation of this advisory.

Under Mozilla Firefox, it is advised to enter into the address bar "about:config" (no quotes, no www., no http:, you may also click that link to enter) and accept to enter into the advanced configuration mode, then to enter into the search bar at the top of this page "security.tls.version.min", a single entry should be displayed. Double click and edit to "1", this should effectively disable the vulnerable SSL 3.0. Firefox users may check what security suite services utilize by clicking the icon next to the address bar, and clicking "More Information", look under "Technical Details" for a prefix of "SSL_" or "TLS_", the former is vulnerable.

Under Microsoft Internet Explorer, under the "Tools" or Gear icon menu, go to "Internet Options", then select the Advanced tab, uncheck "SSL 3.0" on that list (and prior versions as well), ensuring TLS options are checked.

Chrome has no known option for this, it is advised to use the other browsers for secure site usage until Google releases a patch.

References