Search code examples
linuxsslopensslcentospoodle-attack

Poodle Vulnerability in Centos 5

I am running centos 5.7 with the openssl-0.9.8e-22.el5_11 and it's affected by poodle vulnerability. So to address this I have upgraded my openssl version to openssl-0.9.8e-31.el5_11.

I have confirmed like the fix for poodle vulnerability is available in the above version by using changelog.

[root]# rpm -qa --changelog openssl | grep CVE
- add support for fallback SCSV to partially mitigate CVE-2014-3566
- fix CVE-2014-0221 - recursion in DTLS code leading to DoS
- fix CVE-2014-3505 - doublefree in DTLS packet processing
- fix CVE-2014-3506 - avoid memory exhaustion in DTLS
- fix CVE-2014-3508 - fix OID handling to avoid information leak

But however, still my system is using SSLv3 as per the below test.

[root]# nmap --script ssl-enum-ciphers -p 443 10.197.65.190

Starting Nmap 5.51
Nmap scan report for 10.197.65.190
Host is up (0.00071s latency).
PORT STATE SERVICE
443/tcp open
| ssl-enum-ciphers:
| SSLv3
| Ciphers (
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
| uncompressed
| TLSv1.0
| Ciphers (
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_RC4_128_MD5
| TLS_RSA_WITH_RC4_128_SHA
| Compressors (1)
|_ uncompressed

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

I am getting little bit confused here.Whether really poodle vulnerability is fixed in openssl-0.9.8e-31.el5_11.

Any help on this will be highly appreciatable.

Solution

  • No upgrade for openssl will fix POODLE, because POODLE is a design flaw in SSL 3.0 and not a bug in OpenSSL. All the upgrade does is to add an option which might be used be servers to detect protocol downgrade attempts of the client.

    The real fix is to disable SSL 3.0 in all applications which use the OpenSSL library.