Technical FAQs

Ask a Question

Poodle vulnerability mitigated in NetBotz 4.4.1

Issue
Poodle vulnerability mitigated in NetBotz 4.4.1
 
Product Line
NetBotz
 
Environment
Version 3 NetBotz appliances running BotzWare 4.4.1 and higher
 
Cause
CVE-2014-3566, known as the POODLE vulnerability, is a design problem in SSL/TLS and not an implementation issue with OpenSSL or any other SSL. SSL 3.0 and earlier is broken from a security perspective because of this faulty architecture.
 
In the OpenSSL version used by NetBotz 4.4.1 and higher, this vulnerability is reported even though the TLS_FALLBACK_SCSV mitigation was put in place.
 
Resolution
Before the TLS_FALLBACK_SCSV mitigation:
  • The client attempts to connect to NB with TLS 1.x.
  • A network issue or man-in-the-middle attack forces the client to retry with SSL 3.0,
  • The client connects to NB with SSL 3.0. The connection can be compromised.
 
With TLS_FALLBACK_SCSV (available in NetBotz 4.4.1 and above):
  • The client attempts to connect to NB with TLS 1.x.
  • A network issue or man-in-the-middle attack forces the client to retry with SSL 3.0.
  • The client retries with SSL 3.0, and includes the TLS_FALLBACK_SCSV flag.
  • The server sees the client is requesting SSL 3.0. The server (NB 4.4.1) knows that it supports TLS 1.0, so it knows an attack attempt is in progress,
  • NetBotz 4.4.1 rejects the connection request entirely and fails the connection.
 
If the client does not support TLS_FALLBACK_SCSV, the "before" scenario takes place. The customer needs at least NetBotz 4.4.1 and a modern browser (Firefox or Chrome).
If customers have older devices on their network and are forced to enable SSL 3.0 on those browsers, NetBotz 4.4.1 OpenSSL will not protect them; the mitigation will fail.
 
Apple seems to have gone the route of disabling SSL 3.0, and Microsoft may have done the same.
Was this helpful?
What can we do to improve the information ?