October 29, 2014
Security experts try to rein in POODLE
Sometimes names can be disarming ways of identifying high-risk exploits. That's the case with POODLE, a new SSL-based security threat that comes after the IT community's efforts to contain Heartbleed, and then the Shellshock vulnerability of the bash shell program. HP 3000s are capable of deploying SSL security protocols in Web services. Few do, in the field; most companies assign this kind of service to a Linux server, or sometimes to Windows.
The acronym stands for Padding Oracle on Downgraded Legacy Encryption. This oracle has nothing to do with the database giant. A Wikipedia article reports that such an attack "is performed on the padding of a cryptographic message. The plain text message often has to be padded (expanded) to be compatible with the underlying cryptographic primitive. Leakage of information about the padding may occur mainly during decryption of the ciphertext."
The attack can also be performed on HP's Next Generation Firewall (NGFW), a security appliance that is in place protecting thousands of networks around the world. Other firewalls are at risk. Just this week HP released a security patch to help the NGFW appliances withstand the attack. External firewalls are a typical element in modern web service architectures.
A POODLE attack takes a bite out of SSL protections by fooling a server into falling back to an older SSLv3 protocol. HP reported that its Local Security Manager (LSM) software on the NGFW is at risk. But a software update is available at the HP TippingPoint website, the home of the TippingPoint software that HP acquired when it bought 3Com in 2010. TippingPoint rolled out the first HP NGFW firewalls last year.The TippingPoint experts seem to understand that older protocols -- a bit like the older network apps installed in servers like the 3000 -- are going to be indelibile.
The most effective mitigation is to completely disable the SSLv3 protocol. If this is not possible because of business requirements, alternately the TLS_FALLBACK_SCSV flag can be enabled so that attackers can no longer force the downgrade of protocols to SSLv3.
What's at risk in your data pool? HP says it likely to be sensitive, short strings of data such as session IDs and cookie values, "which can then be used to hijack the users' sessions, etc."
Et cetera indeed. The added challenge which enterprise managers assume once they move into open networks are the POODLEs, shocks to a shell and the bleeding hearts of newer operating environments. The security expertise to meet these challenges is a well-spent investment -- whether it's through a 3000-savvy services provider, or the vendor of the migration target system that's just replaced a 3000.
Basic information on these threats is always provided for free. Implementation savvy can be a valuable extra expense. For example, HP adds this nuance about disabling protocols.
An important note: both the client and server must be updated to support that TLS_FALLBACK_SCSV flag. If both allow for SSLv3 and one of them has not been updated to support the flag, the attack will remain possible.
Use our search engine to find 20 years
of HP 3000 news and articles
The comments to this entry are closed.