A newly discovered vulnerability in an old version of the SSL protocol represents a threat to a high number of Web servers because they contain legacy support for the outdated technology. The SSL Man In The Middle Information Disclosure Vulnerability (CVE-2014-3566) affects version 3.0 of SSL, which was introduced in 1996, and has since been superseded by several newer versions of its successor protocol, TLS. However, the vulnerability may still be exploited because SSL 3.0 continues to be supported by nearly every Web browser and a large number of Web servers.
SSL and TLS are both secure protocols for Internet communication and work by encrypting traffic between two computers. Most TLS clients will downgrade the protocol they use to SSL 3.0 if they have to work with legacy servers. The vulnerability lies in the fact that an attacker can potentially interfere with the handshake process which verifies which protocol the server can use and force it to use SSL 3.0 even if a newer protocol is supported.
The vulnerability was disclosed by Google, which said that a successful exploit could allow an attacker to carry out a man-in-the-middle (MITM) attack to decrypt secure HTTP cookies, which could let them steal information or take control of the victim’s online accounts. The attack can be executed both on the server side and client side.
The type of attack facilitated by this vulnerability is in some respects similar in nature to exploit of the Heartbleed vulnerability, which affected OpenSSL, one of the most commonly used implementations of the SSL and TLS cryptographic protocols. It too provided a way for attackers to extract data from supposedly secure connections.
However, unlike Heartbleed, the attacker needs to have access to the network between the client and server to interfere with the handshake process. One potential avenue of attack could be through a public Wi-Fi hotspot. Because the attacker needs to have access to the network, this issue is not as severe as Heartbleed.
Disabling SSL 3.0 support or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but might cause compatibility problems. Due to this, Google’s recommendation is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0.
An Audit Signature designed to detect usage of the SSL 3.0 protocol has been released for Symantec Endpoint Protection (SEP). Audit Signatures do not block traffic associated with these non-malicious applications, but empower SEP administrators to learn which endpoints in their network are running such software in case it is something that is not desired on the corporate network. The administrators can take action as they see fit.
The initial release of Symantec Endpoint Protection 12.1 does not include Audit Signatures. Audit Signatures function in SEP 12.1 RU2 and above.