Sage Advice - Cybersecurity Blog

SSL 3.0 Protocol Vulnerability Advisory – POODLE Attack

poodle-vulnerabilityOn October 14, 2014 a vulnerability in the SSL 3.0 protocol was publicly disclosed. The SSL 3.0 protocol is vulnerable to a padding-oracle attack when Cypher Block Chaining (CBC) is used. This attack is commonly called “POODLE” (Padding Oracle On Downgraded Legacy Encryption).

What is the issue?

A weakness in the SSL 3. 0 protocol allows a man-in-the-middle at tack to extract data from secure HTTPS connections. This could allow an unauthenticated attacker to access clear text information from traffic using SSL 3.0 protocol with CBC mode. The decryption is performed at the byte level which would generate a large number of connections between client and server.

Should we be concerned?

This vulnerability is classified by NIST with a CVSS v2 base score of Medium. SSL 3.0 is an old protocol that has been replaced by Transport Layer Security (TLS). However, even if both the client and server support TLS, the SSL/TLS protocol suite allows for protocol version negotiation. This “negotiation” is leveraged by the POODLE attack to downgrade the connection to use SSL 3.0. In addition, to downgrading a TLS connection to SSL 3.0, two other conditions must be met to execute the attack.

  1. The attacker must be able to control portions of the client’s side of the SSL connection.
  2. The attacker must have visibility to the cipher text (i.e. man-in-the-middle).

The complexity of the attack makes this vulnerability difficult to execute; unless the device is susceptible to man-in-the-middle attack (i.e. using a public Wi-Fi).

What types of systems are vulnerable?

Any device that has SSL 3.0 enabled for encryption is vulnerable. Such systems may include; web servers, SSL VPNs, web and email gateway appliances, web browsers that have SSL 3.0 enabled.

For more Information

US-CERT and Homeland Security have issued guidance for the “POODLE Vulnerability in SSL 3.0”

Recommended Actions

  1. Identify systems in your environment that use HTTPS and SSL for example, web servers, firewalls, routers, switches, SSL VPNs, MDM servers, web browsers, email gateways and appliances.

  2. Contact the vendors of potentially impacted systems. Follow their mitigation instructions. Continue to monitor vendor announcement for updates.

  3. Remediation efforts should be prioritized. Higher priority should be given to Internet connected systems and any system that could use public Wi-Fi’s (laptops).

    1. Instructions for disabling SSL on Windows server are detailed in KB 187498.
    2. Group Policy Object (GPO) can be created to disable SSL in Internet Explorer: Test all GPOs on an Organizational Unit with a limited number of devices before globally deploying.

  4. For systems that require compatibility for legacy system support TLSFallback Signaling Cipher Suite Value (SCSV) can be used for preventing protocol downgrade attacks. For more information, refer to

No one is immune to cyber-attacks

Be confident that threats to your network will be detected consistently and accurately with Tyler Detect. Our team of cybersecurity experts actively investigates to find threats and are always ready to offer you support and answer your questions.

Learn More

Image courtesy of pat138241 at

Topics: Threat Advisories, Malware

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More