Skip to content ↓ | Skip to navigation ↓

The POODLE vulnerability (CVE-2014-3566 and CVE-2014-8730) that we saw in October affecting SSL v3, has been found to also be present in some implementations of TLS.

Although vendors of tools that were vulnerable to the flaw quickly fixed their systems to rely on TLS vs SSL v3, a problem still exists due to TLS padding being a subset of SSLv3’s so that decoding functions for SSLv3 can be used with TLS, as well.

This introduces a vulnerability in TLS allowing a POODLE type of attack to be successful as the same padding issues would be present in TLS connections if the same decoding functions are in use.

CVE-2014-8730 has been created for tracking the vulnerability, but little information has been made available yet. F5 who was notified their products were affected by the vulnerability posted additional information and remediation guidance on their website.

Adam Langley who discovered the vulnerability posted on his blog regarding the issue:

This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken. An IETF draft to prohibit RC4 is in Last Call at the moment but it would be wrong to believe that RC4 is uniquely bad. While RC4 is fundamentally broken and no implementation can save it, attacks against MtE-CBC ciphers have repeatedly been shown to be far more practical. Thankfully, TLS 1.2 support is about to hit 50% at the time of writing.

Detection of this flaw requires connecting to the server with a client modified to send unexpected pad data.  Servers which properly implement the specification will report an error while vulnerable systems will not notice the improper padding.  It should be noted that while the TLSv1.0 specifications do not enforce the verification of pad data, many implementations do it anyway meaning that they would not be affected by this attack.