POODLE's bark may be worse than its bite
DHS considers the Padding Oracle On Downgraded Legacy Encryption a middling threat to users.
Despite its pervasiveness in web servers and browsers, a flaw discovered in an aging Internet protocol was rated by the Department of Homeland Security's computer emergency response team as a lower-range medium threat to users.
The threat, uncovered the week of Oct. 13 by Google researchers, is a design flaw in the aging SSL (Secure Socket Layer) 3.0 protocol. It could allow hackers to get past encryption and institute "man in the middle" attacks on unsuspecting users, according to the DHS Computer Emergency Response Team.
More specifically, according to the CERT in its latest weekly threat alert, released Oct. 20, the design vulnerability is a result of the way SSL 3.0 handles block cipher mode padding. It can be used by remote attackers to decrypt and extract information from inside an encrypted transaction.
The flaw, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), is in SSL protocol used in Internet browsers and servers. Although SSL 3.0 is almost 20 years old, it can still be found in legacy systems that did not upgrade to Transport Layer Security (TLS) protocol in the early 2000s. According to the Google researchers, nearly all browsers support SSL 3.0 to work around bugs in HTTPS servers that could block older browsers.
CERT, in its official threat assessment, gave POODLE a 4.3 rating on a 10-point threat scale, and offered mitigation recommendations.
Computer experts agreed that the threat was most likely medium level, as other flaws have been found in other portions of Internet protocols, like the transportation layer. They can be worked around or otherwise mitigated, said experts.
Because it resides in basic computer protocol, the POODLE flaw is broadly similar to the massive Heartbleed Open SSL flaw discovered last spring. DHS had said its networks were not affected by Heartbleed, but strongly advised other federal agencies to watch out for it and for people trying to leverage it.
DHS declined comment on whether its newly granted authority to more closely monitor other federal agency's networks would make it easier to detect possible exploitation of the POODLE flaw.
On Oct. 3, Roberta "Bobbie" Stempfley, deputy assistant secretary for cybersecurity and communications at DHS’s National Protection and Programs Directorate, said the new authority "reduces that vulnerable window where departments and agencies may not know that a vulnerability exists in their environment and we can provide that content … so they can fix it more quickly."