SSL TLS CBC Cipher Suite Detection (59323) // Poodle Vulnerability
18656
Created On 02/16/21 16:10 PM - Last Modified 11/16/21 19:50 PM
Question
What does SSL TLS CBC Cipher Suite Detection (59323) // Poodle Vulnerability mean?
Environment
- Palo Alto Firewall.
- Any PAN-OS
- Threat Protection.
Answer
SSL TLS CBC Cipher Suite Detection (59323) was built to detect what has been termed as the POODLE vulnerability, a vulnerability within Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers. This vulnerability lets an attacker eavesdrop on communication encrypted using SSLv3 (CVE-2014-3566 ). The vulnerability is no longer present in the Transport Layer Security protocol (TLS), which is the successor to SSL (Secure Socket Layer).
Due to the possibility of this signature triggering on legitimate traffic, the signature was modified and released with 8327 (2020-10-01 UTC), with the severity set to 'Informational' and the action set to 'Allow'. This means traffic hitting this signature will be allowed with no log written. Customers can modify the action to 'Alert' if they desire to see log entries.
What is the Poodle Vulnerability?
A report was compiled that estimated approximately 3.9% of web servers are vulnerable to this attack due to using SSL 3.0 vice the recommended TLS. The vulnerability got it's name POODLE from what it is (Padding Oracle on Downgraded Legacy Encryption). Palo Alto Networks changed the name of the Threat signature to SSL TLS CBC Cipher Suite Detection to better articulate what the vulnerability actually is.
Cipher suites that use cipher-block chaining (CBC mode) are vulnerable to POODLE. CBC mode means that the value of each block depends on the value of the previous block – it is calculated by using the logical operation XOR. Also, a random data block is added at the start – this is called an initialization vector. This is necessary so that every time data is encrypted, it looks different (and therefore the attacker cannot figure out the data based on similarities). Understanding the nuances of exactly why CBC is vulnerable is beyond the scope of this Knowledgebase Article;l you can read more about it at the following link: https://blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites/
Additional Information
References:
https://us-cert.cisa.gov/ncas/alerts/TA14-290A
https://www.acunetix.com/blog/web-security-zone/what-is-poodle-attack/
https://www.openssl.org/~bodo/ssl-poodle.pdf