Advisory – SSL v3 “POODLE” Attack

SSL v3 “POODLE” Attack
P
adding Oracle On Downgraded Legacy Encryption

The vulnerability is a Main in the middle (MITM) attack so isn’t trivially exploitable, but various sources indicate this has been seen in the wild. Currently there are no patches for this issue, OpenSSL, the world’s most used SSL library, are still patching the source code, after which they will release the update and vendors can then patch their systems.

The vulnerability exists if both the server and client accepts SSLv3 (even if both are capable of TLSv1/TLSv1.1/TLS1.2 due to a downgrade attack).

For more information see, http://www.cvedetails.com/cve/CVE-2014-3566/
Or search for ‘ CVE-2014-3566 ‘

In the meantime a quick and easy fix is to disable SSL v3 on your systems.

Regards
Netnorth Support

Bash Vulnerability

Here's a few thoughts on the recent bash vulnerabilities:
A lot of media reports have said only people calling CGI scripts with
bash are at risk, but it extends much further than that due to the way
the OS works.

When spawning a new process (e.g. to start a CGI, regardless of whether
it's a shell script) involves a system call which uses the default shell
(/bin/sh) to call the process.
On many Linux systems, /bin/sh is a symlink to /bin/bash

Therefore, to start (for example) a PHP cgi binary (for a webserver
configured with PHP as CGI, or suPHP) the OS first calls /bin/sh to call
php-cgi or php-cli

This brief call to the default shell allowed malicious environment
variables to be passed to bash which could exploit it.

FreeBSD was unaffected due to /bin/sh not being bash.
On FreeBSD, /bin/sh is a very simple shell as generally it's only ever
called to start processes.  It also has to be statically compiled so
that it may run during system recovery processes.  Static compiled
binaries are much larger than dynamic binaries.

Although OSX is based upon FreeBSD, Apple made the decision to change
the default shell to bash which meant OSX was also vulnerable to this.

Some embedded systems were also vulnerable, but most were not.
Although many embedded systems run a form of Linux (e.g. wifi routers
etc.), they tend to use busybox rather than bash as bash is very bloated
and eats into the very limited ROM space on the devices.

Some newer Linux derivatives have moved from bash to 'dash', but this
also has its own potential complications... it's a (relatively) new
shell which may or may not have as much experience as other well
established shells.  However, it does not suffer from the current bash
issues.

To date in the last month there have been 5 different patches required
for bash (for 5 different exploits), but with many others believing
there may be more ways to exploit it that are not yet discovered.

Some operating systems have patched different numbers of the exploits
depending on their own methods.