These Recently Discovered POODLEs Can Bypass Your TLS

Networks that require support for backwards compatibility with older ciphers and cryptographic methods may also have to avoid upgrading to TLS 1.3, because that’s been dropped, too. And that’s unfortunate because having to maintain backwards compatibility with older cryptographic standards makes networks vulnerable to some pretty terrible exploits. Terrible exploits include Zombie POODLE and GOLDENDOODLE, recently discovered by Tripwire’s Craig Young. Young wrote:

"Zombie POODLE and GOLDENDOODLE are the names I’ve given to the vulnerabilities I’ll be discussing. Similar to ROBOT, DROWN and many other vulnerabilities affecting HTTPS, these issues stem from continued use of cryptographic modes which should have been long ago deprecated and yet are inexplicably still supported in TLSv1.2. In this case, the troublesome feature is that TLSv1.2 supports CBC mode ciphersuites.”

These worrisome new discoveries are related to POODLE, a previously known padding exploit. Patrick Nohe explains:

POODLE worked by attacking the padding used with block ciphers. When encryption is done with a block cipher, the length of the data being input needs to be an exact multiple of the block’s length in bytes. For instance, with triple DES, the block length is 8 bytes (64 bits), for AES it’s 16 bytes (128 bits), so before encryption can be performed using either of those ciphers you’d need to pad the input to be a multiple of the block length.

The simplest way to be safe from Zombie POODLE and GOLDENDOODLE is to implement TLS 1.3, because then, there’d be no padding to exploit. That’s going to be a real challenge for networks that must support older technologies and networks, which require the ability to implement packet inspection.

Citrix load balancers may be vulnerable to the recently discovered Zombie POODLE and GOLDENDOODLE exploits because that’s how Craig Young discovered them.

The Citrix-specific Zombie POODLE and GOLDENDOODLE vulnerability has been recorded as CVE-2019-6485. Here’s how that particular vulnerability is described:

"A vulnerability has been identified in the Citrix Application Delivery Controller (ADC) formally known as NetScaler ADC and NetScaler Gateway platforms using hardware acceleration that could allow an attacker to exploit the appliance to decrypt TLS traffic. This vulnerability does not directly allow an attacker to obtain the TLS private key."

Fortunately, the fine people at Citrix have already been deploying patches which address Zombie POODLE and GOLDENDOODLE. If your network has any NetScaler or ADC devices, upgrade to these new firmware versions as soon as you can:

• Citrix ADC and NetScaler Gateway version 12.1 build 50.31 and later
• Citrix ADC and NetScaler Gateway version 12.0 build 60.9 and later
• Citrix ADC and NetScaler Gateway version 11.1 build 60.14 and later
• Citrix ADC and NetScaler Gateway version 11.0 build 72.17 and later
• Citrix ADC and NetScaler Gateway version 10.5 build 69.5 and later

Load balancers from other vendors, web application firewalls, and remote access SSL VPNs may still be subject to Zombie POODLE and GOLDENDOODLE if you use TLS 1.2 or TLS 1.1. If your network needs to stick with TLS 1.2, you can mitigate against these padding exploits by completely disabling all support for CBC encryption suites.

If Zombie POODLE and GOLDENDOODLE has you biting your nails, Young is ready to present his full findings at Black Hat Asia in Singapore at some point during the March 26-29 event. What do we have to look forward to? Here’s a brief description from Black Hat Asia’s website:

“HTTPS is the backbone for online privacy and commerce – yet, for two decades, the underlying TLS protocol received little more than a series of band-aid fixes. Rather than deprecating cryptographic techniques with known weakness, the TLSv1.2 specification has a long list of workarounds, countermeasures and caveats, which must be carefully followed to prevent attack. This is evident from the fact that PKCS #1 v1.5 padding, RC4 encryption, and CBC mode ciphers can all be used in TLSv1.2.

This session will highlight research into more effective testing and exploitation techniques for CBC padding oracles. We'll uncover how a slight tweak to POODLE resurrected the vulnerability in a major enterprise HTTPS implementation more than three years after it had been patched."

I’m eagerly anticipating more information about these very inconvenient and dangerous new vulnerabilities.