POODLE - and how to get rid of it

calendar Oct 16, 2014 · 2 min read  ·
Share on: linkedin copy

A couple of days ago another security vulnerability that applies to Linux systems called PODDLE was announced. Less serious than Heartbleed especially web servers that are still allowing SSL generations 2 and 3 are affected. Because of a bad security design it is possible to decrypt transfered data. Often those protocol versions are allowed in the default configuration shipped by many Linux distributions - so administrators should really harden their servers. In the meantime CVE 2014-3566 was created to describe POODLE - the security vulnerability was detected by Google. To fix the issue it is sufficient to simply disable the older protocol generations. For Apache this is done by altering the appropriate configuration file:

1#SSLProtocol All
2SSLProtocol All -SSLv2 -SSLv3

This directive enables all SSL protocol versions except the 2. and 3. generation.

Poodle Protector

If you're maintaining a big amount of systems manual configuring the affected systems also means unnecessary work that can be automated very easily. Because I'm a lazy person I developed a script which can analyse and automatically customize the configuration of Apache servers vulnerable to the POODLE attack. The script (poodle_protector) can be found on GitHub: [click me!]

The script can also restart the appropriate service which makes it really comfortable to use in combination with a central configuration management (like Red Hat Satellite, Spacewalk or SUSE Manager).

The following command analyses the system and simulates which changes would be made (dry-run):

1# ./poodle_protector.py -l
2I'd like to create a backup of '/etc/apache2/mods-available/ssl.conf as '/etc/apache2/mods-available/ssl.conf.20141016-1303' ...
3I'd like to insert 'SSLProtocol All -SSLv2 -SSLv3' into /etc/apache2/mods-available/ssl.conf using the following command: sed -i '/SSLProtocol/ cSSLProtocol All -SSLv2 -SSLv3' /etc/apache2/mods-available/ssl.conf ...
4I'd also like to restart the service using: ['service httpd restart', 'service apache2 restart']

The next command alters the configuration (backups are created before) and restarts the Apache service:

1# ./poodle_protector.py -r
2httpd: unrecognized service
3Restarting web server: apache2 ... waiting .

In this example a Debian system was used - that's why the httpd service can't be found.

Translations: