Poodle / Poodlebleed Vulnerability in SSL 3.0 Could Allow Information Disclosure

  • 7015818
  • 22-Oct-2014
  • 23-Oct-2014

Environment

PlateSpin Forge
PlateSpin Migrate
PlateSpin Protect
PlateSpin Recon

Situation

A vulnerability in SSL 3.0 (commonly known as Poodlebleed) could allow information disclosure.  This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to PlateSpin products or the Windows operating system.  PlateSpin servers leverage Microsoft IIS, which implements the SSL 3.0 protocol.

Resolution

Because PlateSpin servers leverage Microsoft IIS, please follow the recommendation from Microsoft according to:
https://technet.microsoft.com/en-us/library/security/3009008.aspx

Disable SSL 3.0 in Windows
You can disable support for the SSL 3.0 protocol on Windows by following these steps:Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
Type 00000000 in Binary Editor to set the value of the new key equal to "0".
Click OK. Restart the computer.

 
Note: This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note:  After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.
It is also recommended to disable SSL 3.0 in the end user's browsers.

Cause

Although SSL 3.0 is almost 15 years old, many servers and web browsers still use it today. When web browsers fail at connecting on a newer SSL version (i.e. TLS 1.0, 1.1, or 1.2), they may fall back to a SSL 3.0 connection.
Because a network attacker can cause connection failures, including the failure of TLS 1.0/1.1/1.2 connections, they can force the use of SSL 3.0 and then exploit the poodle / poodlebleed bug in order to decrypt secure content transmitted between a server and a browser.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.