TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: VIRUS GUY
date: 2014-12-08 22:46:00
subject: Meaner POODLE bug that by
      "So far, load balancers and similar devices sold by two
       different manufacturers have been identified as vulnerable.
       The makers are F5 and A10."

F5?

A10?

WTF?  Who are those companies?

       "Although recent versions of TLS calls for the encryption 
        padding to be closely checked for so-called Oracle attacks,
        the companies' implementations skip this step, making them
        vulnerable to POODLE-style exploits."

Of course they skipped the Oracle-attack check (what-ever the hell that
is).  Their hardware skips that check because the US gov't / NSA told
them to design their equipment to skip the checks.

        "F5 has issued an advisory detailing precisely which products
         are vulnerable and showing how they can be patched. The 
         status of a fix from A10 wasn't immediately known."

Again, who the #### are "F5" and "A10" ?

=======================================================================

Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

Dec 9, 2014

Some of the world's leading websites—including those owned or operated
by Bank of America, VMware, the US Department of Veteran's Affairs, and
business consultancy Accenture—are vulnerable to simple attacks that
bypass the transport layer security encryption designed to thwart
eavesdroppers and spoofers.

The attacks are a variation on the so-called POODLE exploits disclosed
two months ago against secure sockets layer (SSL), an encryption
protocol similar to transport layer security (TLS). Short for "Padding
Oracle On Downgraded Legacy Encryption," POODLE allowed attackers
monitoring Wi-Fi hotspots and other unsecured Internet connections to
decrypt HTTPS traffic encrypted by the ancient SSL version 3. Browser
makers quickly responded by limiting or eliminating use of SSLv3, a move
that appears to have averted widespread exploitation of the bug.

On Monday, word emerged that there's a variation on the POODLE attack
that works against widely used implementations of TLS. At the time this
post was being prepared, SSL Server Test, a free service provided by
security firm Qualys, showed that some of the Internet's top
websites—again, a list including Bank of America, VMware, the US
Department of Veteran's Affairs, and Accenture—are susceptible. The
vulnerability was serious enough to earn all sites found to be affected
a failing grade by the Qualys service.

http://cdn.arstechnica.net/wp-content/uploads/2014/12/bofa-results.jpg

Stealing cookies, one crumb at a time

As concerning as POODLE was to security professionals, it required
attackers to follow several steps that could often prove difficult in
real-world environments. Attackers had to spoof packets sent between
websites and end users to force them to use SSLv3. It also required
attackers to slightly modify transactions thousands of times until they
could successfully guess the contents of encrypted payloads, one
character at a time. By using the padding oracle to deduce the contents
of the payloads, attackers could obtain authentication cookies or
security tokens used to gain access to user accounts or other restricted
sections of a vulnerable website. The newly disclosed attack against TLS
is similar, except that it's slightly less demanding to carry out.

"The impact of this problem is similar to that of POODLE, with the
attack being slightly easier to execute — no need to downgrade modern
clients down to SSL 3 first, TLS 1.2 will do just fine," Ivan Ristic,
Qualys's director of application security research, wrote in a blog post
titled POODLE bites TLS. "The main target are browsers, because the
attacker must inject malicious JavaScript to initiate the attack. A
successful attack will use about 256 requests to uncover one cookie
character, or only 4096 requests for a 16-character cookie. This makes
the attack quite practical."

So far, load balancers and similar devices sold by two different
manufacturers have been identified as vulnerable. The makers are F5 and
A10. Although recent versions of TLS calls for the encryption padding to
be closely checked for so-called Oracle attacks, the companies'
implementations skip this step, making them vulnerable to POODLE-style
exploits. F5 has issued an advisory detailing precisely which products
are vulnerable and showing how they can be patched. The status of a fix
from A10 wasn't immediately known.

According to Ristic, about one in 10 websites are vulnerable to the new
POODLE attack for TLS. That means 10 percent of sites are vulnerable to
man-in-the-middle attacks that face a reasonable chance of success
bypassing Web encryption. Users are invited to use the Qualys service to
identify other high-profile sites that are vulnerable. Administrators
should waste no time ensuring their sites aren't affected.

http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-cry
pto-bites-10-percent-of-websites
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.