POODLE vulnerability

These are old archives. They are kept for historic purposes only.
Post Reply
Alucard
Posts: 9
Joined: Fri Mar 06, 2009 3:12 am

POODLE vulnerability

Post by Alucard »

POODLE: http://googleonlinesecurity.blogspot.co ... sl-30.html
https://www.us-cert.gov/ncas/alerts/TA14-290A

I believe Unreal IRCd is vulnerable because SSLv3 is supported. The fix is to disable SSLv3 and just use TLS 1+. Is this possible (3.2.10.4)?

Test with -

Code: Select all

$ echo | openssl s_client -connect irc.unrealircd.com:6697 -ssl3 2>&1 | grep New
New, TLSv1/SSLv3, Cipher is AES256-SHA 
# Successful SSL connection ^
$ echo | openssl s_client -connect irc.unrealircd.com:6697 -ssl2 2>&1   | grep New
New, (NONE), Cipher is (NONE)
# Unsuccessful (SSLv2 is not supported, which is good) ^
-tls1 is also a switch
Syzop
UnrealIRCd head coder
Posts: 1961
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: POODLE vulnerability

Post by Syzop »

The good news is that the POODLE attack does not apply to IRC. It's not feasible.
Why? Two things: 1) It requires a high amount of reconnects, and 2) It requires chosen plaintext messages, in other words: the attacker must be able to choose what gets sent over the SSL/TLS connection.
This attack works for HTTP(S) because if the attacker controls the browser - like via javascript - he can make various GET requests, and at high speed too.
For IRC that's not the case. Chosen plaintext doesn't happen, the only case I could think of would be irc:// links from a browser but that will always prompt the user (plus.. how useful is that). And the high amount of reconnects is countered as well: all UnrealIRCd installations that use the default configuration file have throttling in place which limits you to 3 connections per second, that's really slow.

That being said, I think it's wise to add an option in a future version to control which SSL/TLS protocol is enabled. Similar to the cipher list. That way you can (more) easily disable the old SSL3 protocol.
Post Reply