Home > Success Center > Web Help Desk (WHD) > POODLE security vulnerability protection

POODLE security vulnerability protection

Overview

This article answers questions and discusses procedures to protect from the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability, released on October 14th, 2014 (CVE-2014-3566 from Red Hat Bugzilla). The POODLE vulnerability is an attack on the SSL 3.0 protocol. Since this problem is in the protocol itself, any product using SSLv3 is affected. By exploiting this vulnerability, an attacker can obtain access to passwords and cookies, enabling access to a user’s private account data on a website even when HTTP/S is used.

 

While SSLv3 is not commonly used, it is a fallback protocol in most servers when more secure protocols, such as TLS, fail to negotiate the handshake. Thus this vulnerability affects all current browsers and most websites.

Environment

  • All WHD versions
  • CVE-2014-3566 from Red Hat Bugzilla

Detail

How can I protect my environment?

There are several ways how to protect your environment:

  • Disable SSL 3.0 support on your web server, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate the issue.
  • Enable FIPS for SolarWinds product using FIPS manager (your environment must be FIPS compliant. For example, MD5 and DES encryption in SNMP v3 is not supported by FIPS).
  • Disable SSL in your browser settings – the POODLE attack is a man in the middle attack. Disabling SSL in your browser prevents attackers from forcing your browser to fall back to SSL v3.0 and exploiting the vulnerability.
  • If using Web Help Desk 12.1.0, upgrade from Java 6 to Java 7 - Web Help Desk 12.1.0 is packaged with Java 6. Upgrade to Java 7 to disable SSL 3.0 on your web server.
  • Apply upcoming OpenSSL hotfixes

What happens when I disable SSL 3.0 on my web server?

Some old browsers, such as IE 6, may not be able to support a secure connection to your site. Major browser vendors, including Mozilla and Google, have announced that they will no longer failover to the SSL v3.0 protocol in their upcoming versions. You may remove support for SSL from your browser yourself or wait for the next version release.

Which SolarWinds products are affected?

Any products using OpenSSL to establish a secure SSL connection or using HTTP/S are vulnerable.

Products using OpenSSL cryptographic functions are not vulnerable, but a vulnerability scan will report them if they contain vulnerable OpenSLL versions. 

Disable SSL 3.0 on an IIS web server

You can review and follow Microsoft (© 2016 Microsoft, available at https://support.microsoft.com, obtained on June 30, 2016.) articles to disable SSL or you can modify your registry through the command line using the following commands as an administrator:

REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f

 

REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\disabledByDefault" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\disabledByDefault" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\disabledByDefault" /v Enabled /t REG_DWORD /d 1 /f

Disable SSL 3.0 in Web Help Desk

Web Help Desk uses different web servers, and you must make changes to the tomcat and/or lighttpd configuration.

If you have installed the virtual appliance, modify the tomcat and lighttphd configurations.

If you installed the desktop version, modify the tomcat configuration.

Note: If your Web Help Desk installation is using Java 6, you must upgrade to Java 7 to disable SSL 3.0. Trying to apply this fix without first upgrading to Java 7 results in a "Peer is not authenticated" error. For upgrade instructions, see Upgrading from Java 6 to Java 7 if Using Web Help Desk 12.1.0 in this article.

  1. Open /opt/vmware/var/lib/vami/webhelpdesk/conf/lighttpd.conf.
  2. Append these two lines to it:
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  3. Save the file.

tomcat

  1. Open /usr/local/webhelpdesk/conf/tomcat_server_template.xml.
  2. Search for "sslProtocol" in this file. There are two occurrences.
  3. Modify both lines from
    clientAuth="false" sslProtocol="TLS"
    to
    clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
  4. Save the file.

Enable FIPS on SolarWinds Products

FIPS security policy does not allow all non-compliant protocols, including SSLv2 and SSLv3. However, FIPS requires the whole environment and network to be compliant, for example SNMP v3 polling cannot use MD5 and DES encryption while FIPS is enabled.

You can enable FIPS in SolarWinds Orion platform products by using this KB article: How do I Enable FIPS?

FIPS compliant products include:

  • DPI 1.0
  • EOC 1.6
  • IPAM 4.1
  • NCM 7.2
  • NPM 10.5
  • NTA 4.0
  • SAM 6.0
  • Toolset 1.0.0
  • UDT 3.0.2
  • VIM 1.9
  • VNQM(IPSLA)4.2

Enable FIPS in Serv-U

Serv-U uses a different method of enabling FIPS than other SolarWinds products.

  1. Open the Serv-U web console.
  2. Navigate to Global Menu > Limits and Settings > Encryption.
  3. Select Enable FIPS 140-2 mode.

Upgrade from Java 6 to Java 7 if using Web Help Desk 12.1.0

The fix described above in Disabling SSL 3.0 in Web Help Desk does not work if your Web Help Desk installation is using Java 6, rather than Java 7. Check the Java version Web Help Desk is using.

If your Web Help Desk installation is using Java 6:

  1. Download and install Java 7 from Oracle.  (© 2016 Oracle, available at https://www.oracle.com, obtained on June 30, 2016.)
  2. Stop Web Help Desk.
  3. Add a path to the newly installed Java Runtime Environment (JRE) to the line starting with JAVA_HOME in the Web Help Desk configuration file, whd.conf:
    • For JRE installed into the /opt/jre7 folder, the path should contain:JAVA_HOME=/opt/jre7
    • For JRE installed into the C:\Program Files\Java\jre7 folder, the path should contain: JAVA_HOME= C:\Progra~1\Java\jre7
  4. Add the Unlimited Cryptography libraries for Java 7, from Oracle.  (© 2016 Oracle, available at https://www.oracle.com, obtained on June 30, 2016.)
  5. Unzip and copy the files below to /lib/security
    • Local_policy.jar
    • US_export_policy.ja
  6. Restart Web Help Desk.

How do I detect POODLE attacks on my network?

The protocol downgrade is visible on the server side. Usually servers can log TLS protocol versions. This information can be compared with user agents or other information from the profile of a logged-in user, and mismatches could indicate attack attempts.

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third party customers. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any. 

 

You must to post a comment.
Last modified
01:36, 11 Jan 2017

Tags

Classifications

Public