SSL 3.0 Security Advisory [17 October 2014] -- Client SSL/TLS version fallback exploit (CVE-2014-3566 "POODLE")

Document ID : KB000057248
Last Modified Date : 14/02/2018
Show Technical Document Details

Solution

We are reaching out to each of our customers as part of the CA Technologies Customer Care program?to let you know of important announcements to the product and other related areas.

Secure Socket Layer version?3.0 (SSL 3.0)

US-CERT/NIST has issued CVE-2014-3566?against SSL 3.0. CA Technologies recommends disabling the use of SSL 3.0 and earlier in any and all applicable API Management products--including but not limited to the CA API Gateway, CA API Enterprise Service Manager, and the CA API Developer Portal.

The vulnerability has been codenamed?Padding Oracle on Downgraded Legacy Encryption (POODLE). This vulnerability leverages deficiencies in the design of the SSL 3.0 protocol to allow for a man-in-the-middle attack under certain circumstances. An attacker on a compromised server can force a client application to downgrade from TLS 1.0 or later to SSL 3.0. A client or server application that allows the use of SSL 3.0 may be vulnerable to this behavior. Execution of a successful attack using this vulnerability has the following requirements:

  1. SSL 3.0 support is enabled on the client
  2. SSL 3.0 support is enabled on the server?
  3. Support for CBC-based cipher suites is enabled

Affected Products and Versions

The following products are impacted based on certain conditions. Please click the links below to be forwarded to the information on applicability by product.
  1. CA API Enterprise Service Manager
  2. CA API Developer Portal
  3. CA API Gateway

CA API Enterprise Service Manager

Form Factor(s):?Hardware and Virtual appliances
Version(s): All versions

The CA API Enterprise Service Manager allows for the use of SSL 3.0 by default. CA Technologies is working on permanently disabling or disallowing the use of SSL 3.0 in CA ESM but a configuration change can be made to force Transport Layer Security version 1.0 (TLS 1.0) by executing the following process:

  1. Log into the CA API Gateway appliance running the Enterprise Service Manager component?as the?ssgconfig user
  2. Select Option #3: Use a privileged shell (root)
  3. Open the following file for editing:?/opt/SecureSpan/EnterpriseManager/var/emconfig.properties
  4. Append?the following line as follows:?em.server.listenport.protocols=TLSv1
  5. Save the file and exit the editor
  6. Restart the Gateway appliance running ESM

CA API Developer Portal

Form Factor(s): Virtual appliance
Version(s): All versions

The CA API Developer Portal uses Apache httpd and Apache Tomcat for serving documents to consumers. These applications can be configured in such a manner to expose them to the POODLE vulnerability. By default, these applications are configured to use SSL 3.0 if it is preferred by the client application--thus making them exposed to exploitation using the aforementioned vulnerability. The vendor for these applications has released the following articles for remediating this behavior on their respective applications:

?The documents above are for generic installations of the aforementioned products.?The following procedure can be executed to disable the use of SSL 3.0 by these applications on the Gateway appliance running the ADP:
  1. Log in to the CA API Gateway appliance running the API Developer Portal component?as the?ssgconfig user
  2. Select Option #3: Use a privileged shell (root)
  3. Open the following file for editing: /etc/httpd/conf.d/ssl.conf
  4. Modify the SSLProtocol?directive to be as follows: all -SSLv2 -SSLv3
  5. Save the file and exit the editor
  6. Open the following file for editing: /opt/Deployments/lrs/server/conf/server.xml
  7. Add the following to the Connector element:?sslProtocol="TLS"
NOTE: The resulting XML element should appear as follows:
<Connector port="37080" maxHttpHeaderSize="8192"
? ?maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
? ?enableLookups="false" redirectPort="50443" acceptCount="100"
? ?connectionTimeout="20000" disableUploadTimeout="true"
? ?compression="on"
? ?compressableMimeType="text/plain,text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
? ?sslProtocol="TLS"
/>
  1. Save the file and exit the editor?
  2. Restart the Gateway appliance running the ADP

CA API Gateway

Form Factor(s): All factors
Version(s): All versions

The CA API Gateway has an internal component that is exposed to this vulnerability. The Process Controller is responsible for managing communications between external tools (such as remote node management or the Enterprise Service Manager). This component currently permits SSL 3.0 when communicating with external tools. The Process Controller can be configured to disallow SSL 3.0 by executing the following procedure:

  1. Log in to the Gateway appliance ?as the?ssgconfig user
  2. Select Option #3: Use a privileged shell (root)
  3. Open the following file for editing:?/opt/SecureSpan/Controller/etc/host.properties
  4. Append the following line to the file:?host.controller.sslProtocols=TLSv1
  5. Save the file and exit the editor
  6. Restart the Gateway appliance

Troubleshooting and Testing

Red Hat Labs has provided a testing suite as a central repository of tools for testing against this named vulnerability. It can be found at the following URL:?https://access.redhat.com/labs/poodle/. This URL requires an account with Red Hat to access.

A script has been provided by Red Hat to use for testing against Red Hat and Linux-based systems that are equipped with the OpenSSL suite of tools. This script is freely available for all to distribute and use and has been attached to this article as poodle.sh. Download the script to a Linux workstation or server and set it as executable. To use this script, execute the script from the command line with a IP address or hostname as well as an applicable port number. The script will default to IP address 127.0.0.1 and port 443 if no options are provided. For example, do the following to enable the script and scan remote hosts:

  1. chmod a+x /path/to/poodle.sh
  2. /path/to/poodle.sh 192.168.1.7 443
  3. /path/to/poodle.sh gateway.domain.com 8443

Attachments:

File Attachments:
TEC0000001373.zip