POODLE Bites Again, Hitting TLS Security Protocol

POODLE Bites Again

Google researchers on October has discovered the POODLE(Padding Oracle On Downgraded Legacy Encryption) attack and released a patch for the critical vulnerability. But now the POODLE attack returns and hitting the TLS security protocol.

Researchers initial findings shows that only the SSL 3.0 is affected by this vulnerability. But now the researchers identified that the issue also affects some implementations of TLS in products that don’t properly check the structure of the “padding” used in TLS packets.

Google security engineer Adam Langley built a scanner to find out if other products are affected. He found many vulnerable sites including some popular websites which used an F5 device to terminate connections. He contacted F5 on October 21st and they started working on a fix. He also found that the A10 devices are experiencing the same problem.

Langley said in his blog post "I'm not completely sure that I've found every affected vendor but, now that this issue is public, any other affected products should quickly come to light. (Citrix devices have an odd behavior in this area in that they'll accept padding bytes that are all zeros, but not random padding. That's unexpected but I can't make an attack out of it.)"

No comments

Powered by Blogger.