Protect your network from the SSL v3.0 "POODLE" vulnerability
How to protect my network from the SSL v3.0 “POODLE” vulnerability?
A new vulnerability announced in October and identified in advisory CVE-2014-3566, involves the Secure Sockets Layer version 3 (SSL v3.0) protocol when using a block cipher in Cipher Block Chaining (CBC) mode. Zyxel Communications is aware of this POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability and offers solutions, as well as a diverse range of Security products, to help protect your network from this threat.
SSL is a frequently utilized transport mechanism for many software components. This POODLE vulnerability presents a weakness in the SSL v3.0 protocol that allows an attacker in a MitM (Man-in-the-Middle) context, to decipher the plain text content of an SSL v3.0 encrypted message.
Most likely to be affected by this threat are web browsers, mail servers, VPN servers, and web servers. As this is a critical vulnerability that can be exploited and can result in significant data theft, Zyxel strongly recommends that you take appropriate actions, as described below, to secure your network from any potential security holes in applications using version 3 of the SSL protocol.
For more advisory information, please refer to the following link:
https://access.redhat.com/articles/1232123
Solution
To address the issue, on the 30th of October 2014 Zyxel has released new IDP signatures, versions 3.0.3.111 and 3.1.4.111, for its Next-Gen USG Series gateways and ZyWALL Series VPN firewalls. The IDP signatures will enable devices to activate the following protection and guard networks against the POODLE vulnerability by blocking all types of access using the SSL v3.0 protocol.
1130118 SSL OpenSSL SSLv3 POODLE Padding Brute Force (CVE-2014-3566)
In the meantime, it is recommended that our customers immediately take steps to disable SSL v3.0 support for applications on both servers and clients. Many applications that use better encryption by default, implement SSL v3.0 support as a fallback option. This should be disabled to prevent malicious users from forcing SSL v3.0 communication in cases where both parties allow it as an acceptable method. End-users can follow the steps described in the following links to preven any mishaps.
Additionally, a new firmware patch will be released in the middle of November 2014 that deactivates the SSL v3.0 setting by factory default. This is to avoid data leakage from communication between client and server.
Next Generation Unified Security Gateway
| Products | Product Description |
|---|---|
| USG 1900 | Next-Gen Unified Security Gateway-Extreme Series |
| USG 1100 | Next-Gen Unified Security Gateway-Extreme Series |
| USG 310 | Next-Gen Unified Security Gateway-Advanced Series |
| USG 210 | Next-Gen Unified Security Gateway-Advanced Series |
| USG 110 | Next-Gen Unified Security Gateway-Advanced Series |
| USG 60W | Next-Gen Unified Security Gateway-Performance Series |
| USG 60 | Next-Gen Unified Security Gateway-Performance Series |
| USG 40W | Next-Gen Unified Security Gateway-Performance Series |
| USG 40 | Next-Gen Unified Security Gateway-Performance Series |
ZyWALL VPN Firewall
| Products | Product Description |
|---|---|
| ZyWALL 1100 | VPN Firewall |
| ZyWALL 310 | VPN Firewall |
| ZyWALL 110 | VPN Firewall |