Security Advisories
FSC-2014-8: Notice on SSL 3.0 "POODLE" Vulnerability
Description
An attack against CBC-mode ciphers in SSL 3.0 can be exploited by an active man-in-the-middle attacker by forcing a downgrade from TLS to SSL 3.0.
Security advisory: https://www.openssl.org/~bodo/ssl-poodle.pdf
Affected Products
- Risk Level (Low/Medium/High/Cricital) Medium
Corporate Products:
- F-Secure Messaging Security Gateway 7.1, 7.2 and 7.5
- F-Secure Protection Service for Email 7.1, 7.2 and 7.5
- F-Secure Server Security / Email and Server Security 10.x and 11.x
- F-Secure PSB Server Security / PSB Email and Server Security 10.00
- F-Secure Linux Security
Consumer Products:
- Safe Anywhere for PC
- Safe Anywhere for MAC
- F-Secure Freedome
- F-Secure Key
More Information
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. The vulnerability allows a man-in-the-middle attacker to decrypt cipher text using a padding oracle side-channel attack and affects SSL 3.0. This vulnerability does not affect the TLS encryption mechanism. Successful exploitation could lead to information disclosure by recovering small amounts of plaintext from an encrypted SSL 3.0 connection. CVE-2014-3566 has been assigned for this vulnerability.
This advisory will be updated as more information becomes available.
Mitigating Factors
- The attacker must make several hundred HTTPS requests before the attack could be successful.
- TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Note: Products and platforms not listed in this advisory are NOT affected by POODLE.
Affected and Patched
The following products/platforms are affected and are already patched.
| Product/Platform | Remarks |
|---|---|
| F-Secure Messaging Security Gateway 7.1 – 7.5 | Verify that patch has been installed in the appliance. MSG 7.1 – Patch 2092 MSG 7.2 – Patch 2093 MSG 7.5 – Patch 2094 |
| F-Secure Protection Service for Email 7.1 – 7.5 | Verify that patch has been installed in the appliance. PSE 7.1 – Patch 2092 PSE 7.2 – Patch 2093 PSE 7.5 – Patch 2094 |
| Safe Anywhere for PC | The client only creates connections at its own initiative, not controllable by a man-in-the-middle attacker. No patch is required for this product. |
| Safe Anywhere for Mac | The client only creates connections at its own initiative, not controllable by a man-in-the-middle attacker. No patch is required for this product. |
| F-Secure Freedome | F-Secure Freedome servers has been updated to disable SSL 3.0 encryption protocol. |
| F-Secure Key | F-Secure Key servers has been updated to disable SSL 3.0 encryption protocol. |
Affected, Requires User Action
The following products/platforms are affected and are already patched.
| Product/Platform | Remarks |
|---|---|
| F-Secure Server Security | Manually disable SSL 3.0 from the browser. |
| F-Secure Email and Server Security | Manually disable SSL 3.0 from the browser. |
| F-Secure PSB Server Security | Manually disable SSL 3.0 from the browser. |
| F-Secure PSB Email and Server Security | Manually disable SSL 3.0 from the browser. |
| F-Secure Linux Security | Manually disable SSL 3.0 usage from the product. |
Advisory Changes
| Date | Changes |
|---|---|
| 23 October 2014 | First advisory published. |
| 24 October 2014 | F-Secure Search and Safe Avenue removed as they do not use SSL3.0 by default and are thus not affected. Updated Safe Anywhere for PC remark for clarification. |
Date Issued: 2014-10-23
Date Last Updated: 2014-10-24