With the release last week of information pertaining to a potential information disclosure vulnerability in numerous systems that use SSL version 3 encryption, we have started to implement changes to client systems to mitigate the associated risk. We recommend clients familiarize themselves with the POODLE SSLv3 vulnerability by reading the excellent Wired.com article that can be seen at http://www.wired.com/2014/10/poodle-explained/.
SSL encryption can be used to secure data connections between systems across the Internet, and on internal networks as well. Its most common usage scenario is to encrypt web browser connections to servers across the Internet. Though encrypted connections are mainly referred to general terms, there are in fact numerous protocols and cyphers that are supported by the various Operating Systems in use today. Naturally, newer Operation Systems can use more recent and therefore stronger encryption protocols than their older counterparts.
The vulnerability disclosed last week was around SSL 3.0, which was a very popular encryption protocol that has widespread Operating System support (Windows, MACs, and Linux etc.). Though it has been surpassed in recent years by newer and stronger encryption techniques, most systems left it enabled to support older systems. A vulnerability in SSL 3.0 has been demonstrated that would possibly allow an attacker to compromise communications protected by this protocol. It does not provide a direct method for an attacker to gain control of any systems. However an attacker may be able to collect credentials for use in subsequent attacks by eavesdropping on SSL 3.0 communications they are able to compromise with this vulnerability. There is no planned “patch” for this vulnerability so the recommendation is simply to disable its use, both on servers and client systems.
SYGNET will be disabling SSL 2.0 (in the event it is still enabled) and SSL 3.0 from all servers as soon as possible. Clients are warned that there could be some disruption to Line of Business applications and websites that may rely on these specific versions of SSL. It is quite difficult to make this determination in advance, therefore, SYGNET recommends proceeding with the changes since they can be reversed relatively easily should a particular application require either of these specific protocols.
SYGNET will also be disabling SSL 2.0 and SSL 3.0 in the browser settings of Microsoft Internet Explorer for domain joined systems via Group Policy. We will also provide instructions to users on how they can manually make this change for browsers other than Microsoft Internet Explorer and for standalone systems not controlled by domain Group Policy.
Further to the measures mentioned above, clients running a current SonicWALL firewall with Security Services enabled have been protected since October 15th, 2014 when the detection signatures were released.
We will of course provide updates regarding the POODLE vulnerability should additional information become available.
Regards, Cameron Gracie.