Skip to content ↓ | Skip to navigation ↓

Update: Tripwire has issued a VERT Alert for vulnerability CVE-2014-3566

We have been hearing about a potential SSL version 3 vulnerability and it appears they are true. This vulnerability (CVE­-2014-3566) named POODLE by its discoverers, allows the plaintext of secure connections to be calculated by a network attacker. The vulnerability was discovered by Google researchers Bodo Möller,Thai Duong and Krzysztof Kotowicz.

The vulnerability allows an attacker to compromise the encryption when using the SSLv3 protocol. An attacker can add padding to a request calculating the plaintext of encryption using the SSLv3 protocol. Newer browsers will default to newer more secure encryption protocols (e.g., TLSv1.2). But it is possible for malicious attackers to trigger conditions in many browsers that will force them to fall back to SSLv3. The end result of the vulnerability is that an attacker can force a downgrade to SSLv3 allowing traffic over an encrypted connection using the vulnerable protocol to be intercepted.

Read the full details of the vulnerability here (PDF) 

This vulnerability primarily affects clients. Where vulnerabilities, such as Heartbleed and Shellshock, affected servers, this particular vulnerability targets a client system; however, even if the system is vulnerable it would need to be on an open Wi-Fi connection to be compromised by a man-in-the-middle attack.