Vulnerability

Vulnerability

POODLE security issue in SSLv3

#2014-1005-03 
POODLE security issue in SSLv3 
Nov 7, 2014 

Background 
On October 14, 2014 a security issue was reported in version 3 of the Secure Socket Layer (SSL) protocol that is sometimes used to encrypt network traffic. Under the right conditions, this vulnerability (called POODLE, CVE-2014-3566) could be exploited to decrypt all or part of a transaction encrypted with SSL v3. 

POODLE is a flaw in the SSL v3 protocol and not specific to any particular implementation of SSL. SSL has been largely superceded by the Transport Layer Security (TLS) protocol. TLS itself is not vulnerable, however, an attacker may be able to artificially trigger a protocol downgrade from TLS to SSLv3. 

Summary 
Mitel has assessed the threat posed by POODLE. The vulnerability is exploitable in narrow circumstances; specifically, the attacker must: 
1. Intercept traffic between a client and server (man-in-the-middle), 
2. Ensure SSLv3 is used to encrypt the traffic, and 
3. Repeatedly compute and transmit hundreds of packets crafted in real-time for every payload byte being examined. 
These conditions make successful exploitation somewhat difficult. No reports of attacks based on the POODLE vulnerability have been seen in the field. Mainstream browsers have already released updates that eliminate the ability to downgrade TLS connections to SSLv3. These actions make POODLE a less promising attack vector for malicious actors. Based on the information currently available, it appears that POODLE does not represent a significantly elevation of risk to Mitel products. 

Tags: Technical support

Post a comment

All fields are mandatory. Your email address will never be published.

Similar articles

Ghost Vulnerability