Just days after details of the POODLE SSL vulnerability were released, the OpenSSL Project has issued a patch for the open-source encryption software that implements the fix recommended by the Google researchers who uncovered it.
The POODLE (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability is the result of a problem in the nearly 15-year-old version 3.0 of the SSL protocol, according to the research paper released Tuesday by Google security team members Bodo Möller, Thai Duong and Krzysztof Kotowicz. Though much of the Web has moved on to the more secure Transport Layer Security (TLS) protocol, major Web browsers including Chrome and Firefox still provide support for SSL 3.0 in cases where they can't connect to a server using a modern protocol.
That fallback mechanism could conceivably be used by an attacker to uncover the contents of HTTPS cookies, as the RC4 encryption cipher used by SSL 3.0 is as outdated as the protocol itself. A man-in-the-middle attack in the style of the BEAST attack would be required to successfully exploit POODLE, which tempered the severity of the bug.
Though it may not be as bad as the Heartbleed flaw that struck OpenSSL earlier this year, the administrators of the OpenSSL Project wasted no time in issuing a patched version of the encryption software.
"OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade," said the OpenSSL security advisory, adding that OpenSSL version 1.0.1 and 1.0.0 users should upgrade to 1.0.1j and 1.0.0o respectively.
TLS_FALLBACK_SCSV was touted by Möller earlier this week as a way to prevent the encryption protocol downgrade at the heart of POODLE. Google has supported the feature since February, according to Möller, and Mozilla subsequently announced plans to implement the security mechanism in an upcoming version of its Firefox Web browser
While the POODLE fix may come as a relief to worried administrators and OpenSSL users, the flaw was only rated as a "medium" in severity. The most pressing patch among the four issued in this security advisory was in fact for CVE-2014-3513, a "high" severity memory-leak vulnerability that could be used in denial-of-service attacks.
"A flaw in the DTLS SRTP [Secure Real-Time Transfer Protocol] extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak," said the OpenSSL security advisory. "This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected."