Imperva Security Response for CVE-2014-3566 (AKA "POODLE")

Google researchers recently uncovered a security bug (CVE-2014-3566) that they say could allow hackers to steal data. The bug has been referred to in the press as “POODLE”, or “Padding Oracle On Downloaded Legacy Encryption”. This vulnerability is a Man-In-The-Middle (MITM) attack which means a client-to-server session is being hijacked and then used in a malicious manner. This attack has been associated with SSLv3 connections, and could force TLS sessions to downgrade to SSLv3.

Revision History
Date Comment
10/15/2014 Initial Version

Status Summary
  • MITM attacks occur between a client and server, before inspection by a Web Application Firewall (WAF), and are therefore not detectable by a WAF.
  • Best practices dictate that the SecureSphere management port should not be exposed externally.

1) Protecting Applications:
  • Imperva analysis indicates this attack is very difficult to carry out, because a MITM attack requires the attacker to place themselves in between the victim and the websites they were visiting, for example by introducing a rogue WiFi "hot spot" in an Internet café.
  • MITM attacks occur between a client and server, before inspection by a Web Application Firewall (WAF), and are therefore not detectable by a WAF.
  • There is no SSL related patch available for this type of attack.
    • Restricting your application server connections to only accept TLS can be a mitigating action.
    • While an attack based on this vulnerability could force the session to downgrade from TLS to SSLv3, as noted above, that would require an additional level of sophistication by an attacker, making it more difficult to carry out.
  • There is no WAF signature that can be crafted for this type of attack, as there is no deviation in the SSL protocol or injection being performed.

2) Affected Imperva Products:
  • SecureSphere Web Application Firewall operating in Kernel Reverse Proxy (KRP) mode
  • SecureSphere Management Server

Description

Imperva best practices dictate that the management port be on a local or out-of-band network, and for customers following these practices, CVE-2014-3566 may only be carried out via an insider attack (as SecureSphere Management Server and Gateways do accept SSLv3 and TLS connections). An additional mitigating factor would be to configure your browser to only support TLS connections.


Vendor Fix

When operating SecureSphere WAF in KRP mode, disable SSLv3.


References

National vulnerability Database Listing: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566