Thursday, October 16, 2014

CVE-2014-3513 - SSLv3 (poodle attack) Openssl memory leak can cause DoS attack

The new SSLv3 vulnerability found by Google researchers:-

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

has widespread implications for the servers that are ssl termination points. For now, they have to disable SSLv3 ciphers or protocol itself. Additionally, they have to check the reverse proxies to see if strong ciphers (TLS) can only be allowed.

Amazon have also released patches for Amazon Linux and instructions for ELB:-

http://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/

https://alas.aws.amazon.com/index.html

****************
Amazon Linux AMI:
The Amazon Linux AMI repositories now include patches for POODLE (CVE-2014-3566) as well as for the additional OpenSSL issues (CVE-2014-3513, CVE-2014-3568, CVE-2014-3567) that were released on 2014-10-15. Please see https://alas.aws.amazon.com/ALAS-2014-426.html and https://alas.aws.amazon.com/ALAS-2014-427.html for additional information.

Amazon Elastic Load Balancing:
All load balancers created after 10/14/2014 5:00 PM PDT will use a new SSL Negotiation Policy that will by default no longer enable SSLv3.
Customers that require SSLv3 can reenable it by selecting the 2014-01 SSL Negotiation Policy or manually configuring the SSL ciphers and protocols used by the load balancer. For existing load balancers, please follow the steps below to disable SSLv3 via the ELB Management
Console:
    1. Select your load balancer (EC2 > Load Balancers).
    2. In the Listeners tab, click "Change" in the Cipher column.
    3. Ensure that the radio button for "Predefined Security Policy" is selected
    4. In the dropdown, select the "ELBSecurityPolicy-2014-10" policy.
    5. Click "Save" to apply the settings to the listener.
    6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.

****************************
You can also change the cipher suite policy in the ELB configuration by selecting the version "ELBSecurityPolicy-2014-10" below:-

No comments:

Post a Comment