CVE-2014-3566: Removing SSLv3 from LineRate

A new SSL vulnerability has been released titled POODLE (Padding Oracle On Downgraded Legacy Encryption).  CVE-2014-3566 is the official reference to this vulnerability.  During a TLS connection handshake, an attacker can interrupt the connection and cause a fallback to SSLv3.  The connection that is now using an older, less-secure protocol is more vulnerable to other attacks due to it’s weaker encryption techniques.  Disabling SSLv3 ciphers is the only known way to avoid this attack.  LineRate has SSLv3 ciphers installed by default for maximum compatibility, but if you’re using HTTPS, you should follow this procedure to disable them.  (Note that the use of SSLv3 has been discouraged for many years, so not many connections require or even use SSL in favor of the much more secure TLS protocol.)   You might also want to check out the BIG-IP response here.  See SOL15702 for more details on this vulnerability. 

The LineRate Team has worked on maintenance releases to address this vulnerability and others.  You can find details of the maintenance releases here. Upgrading to the new version of 2.2.7 and 2.4.2 gives you more ciphers than disabling SSLv3 ciphers using the workaround. The workaround disables some of the ciphers that work with TLS.

Please note the action required for versions of LineRate differ:

  1. Organizations on LineRate version 2.2.x need to upgrade to version 2.2.7 (which has the SSLv2 and SSLv3 protocol disabled by default) and you are good to go.
  2. Organizations on LineRate version 2.4.x need to upgrade to version 2.4.2 (which has the SSLv2 and SSLv3 protocol disabled by default) and you are good to go.
  3. If upgrade is not an option, organizations on LineRate version 2.4.x can workaround POODLE by disabling SSLv3 ciphers using the workaround procedure below.
  4. Organizations on LineRate version 1.6.x please upgrade to version 2.4.2.

Workaround  - Disabling SSL v3 Ciphers

Use the following procedure to disable the SSLv3 ciphers for any configured SSL profiles.  Once these ciphers are disabled, any HTTPS connections initiated or terminated by the LineRate system will be vulnerable to POODLE. 

Step-by-step guide to disabling SSLv3 ciphers

  1. SSH to the LineRate system or use the console on the system to login.
  2. Confirm the cipher for the profile named “self-signed” for example, by issuing the command (SSLv3 ciphers underlined in bold): show ssl profile self-signed. Note that the ‘self-signed’ profile is the default profile that ships with the system and is not generally used for production.  Be sure to check and update all active SSL profiles on the system.

LROS# show ssl profile self-signed
Configuration
Primary Cert Name: self-signed set locally
Private Key Name: self-signed set locally
Chained Cert Name:
<none>
Primary Cert and Key Match: yes
Cipher List: HIGH:!ADH:!SSLv2:!PSK:!ECDH:!kEDH:!SRP:+AES:+3DES default
ECC Curve List: prime256v1 default
SSL Session Cache Mode: no cache set locally
SSL Session Cache Size: 0 set locally
SSL Session Tickets Mode: enabled default
Ordered cipher list
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
DES-CBC3-SHA
  1. Disable the SSLv3 ciphers using the command: cipher-list openssl "!SSLv3:HIGH:!ADH:!SSLv2:!PSK:!ECDH:!kEDH:!SRP:+AES:+3DES". This cipher list was obtained by taking the existing cipher-list from the command run in Step 2 and pre-pending “!SSLv3”. Using !, the ciphers are permanently deleted from the list. Please refer to the SSL Mode commands for more detail. Please note that this step will need to be be repeated for every SSL profile configured on the system.

LROS# configure
LROS(config)# ssl profile self-signed
LROS(config-ssl-profile:self-signed)# cipher-list openssl "!SSLv3:HIGH:!ADH:!SSLv2:!PSK:!ECDH:!kEDH:!SRP:+AES:+3DES"
  1. Confirm the cipher list now does not contain SSLv3 ciphers with the show command in Step 1.
*LROS(config-ssl-profile:self-signed)# show ssl profile self-signed
Configuration
Primary Cert Name: self-signed set locally
Private Key Name: self-signed set locally
Chained Cert Name:
<none>
Primary Cert and Key Match: yes
Cipher List: !SSLv3:HIGH:!ADH:!SSLv2:!PSK:!ECDH:!kEDH:!SRP:+AES:+3DES set locally
ECC Curve List: prime256v1 default
SSL Session Cache Mode: no cache set locally
SSL Session Cache Size: 0 set locally
SSL Session Tickets Mode: enabled default
Ordered cipher list
AES256-GCM-SHA384
AES256-SHA256
AES128-GCM-SHA256
AES128-SHA256
  1. Save the configuration using the write command.
*LROS# write
  1. The above steps may be repeated for other SSL profiles configured on the LineRate system.

Related Product Documentation

LROS 2.4 CLI Reference Guide SSL Mode Commands - cipher-list

LROS 2.4 REST API Reference Guide - cipherListOpenSslFormat