How to Protect an eG Installation from POODLE Attacks

A POODLE attack is an exploit that takes advantage of the way some browsers deal with encryption. POODLE (Padding Oracle On Downgraded Legacy Encryption) is the name of the vulnerability that enables the exploit. POODLE can be used to target browser-based communication that relies on the Secure Sockets Layer (SSL) 3.0 protocol for encryption and authentication. The Transport Layer Security (TLS) protocol has largely replaced SSL for secure communication on the Internet, but many browsers will revert to SSL 3.0 when a TLS connection is unavailable. An attacker who wants to exploit POODLE takes advantage of this by inserting himself into the communication session and forcing the browser to use SSL 3.0.

The attacker is then free to use an exploit design flaw in SSL 3.0 that allows the padding data at the end of a block cipher to be changed so that the encryption cipher becomes less secure each time it is passed. To prevent a POODLE attack that forces a browser to degrade to SSL 3.0, administrators should check to see that their server software supports the latest version of TLS and is configured properly.

The eG Enterprise system is vulnerable to a POODLE attack when the eG manager is configured with SSL. Even though the communication between the eG agents and the manager or between the manager and user browsers does not contain business sensitive data, administrators may still want to avert a security attack. For instance, user login information (possibly even to an Active Directory domain) can be compromised.

poodle-attack1

How a POODLE attack happens

To protect against unauthorized access and probable abuse by unscrupulous POODLE attackers, you will have to disable SSL 3.0 on the eG manager. To do so, follow the steps below:

  1. Open the eG manager’s Tomcat configuration file: <EG_INSTALL_DIR>managertomcatconfserver.xml
  2. Find the Connector configuration corresponding to the eG manager. This should have the attributes: SSLEnabled=”true” scheme=”https” secure=”true”.
  3. If you are using JDK 1.6 for running the eG manager, then remove the attribute sslProtocol=”TLS” from the above configuration and replace it with:  sslEnabledProtocols=”TLSv1″
  4. If you are using JDK 1.7 , then remove the attribute sslProtocol=”TLS” from the above configuration and replace it with:  sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″ 
  5. Now, restart the eG manager for the changes to be effective.