SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby xenopeek » Wed Oct 15, 2014 3:59 am

News hitting the web today is that there is a vulnerability in SSL protocol version 3.0 (SSLv3), dubbed "POODLE". This post will provide you with a summary of need-to-know information and the Linux Mint team will update this post over time as needed.

UPDATE for Linux Mint 13 and 17:
    For users of Linux Mint 13 and Linux Mint 17 an update to OpenSSL is available. If you have applied level 3 updates from Update Manager, you'll already have it. Details on Canonical Blog. The update to OpenSSL will make it so that a browser and a website will always use the latest encryption protocol they both support (known as "TLS_FALLBACK_SCSV"). This makes it so an attacker can't trick your browser and the website you visit to downgrade from using the modern and secure TLS to using the old and vulnerable SSLv3.

    There are still websites that don't support TLS. As shared on the Canonical Blog this vulnerability needs action from the entire Internet, both browsers and websites need to be updated to remove support for SSLv3.
UPDATE for LMDE:
    The above described update to OpenSSL is also available for LMDE users through Update Manager.
What is the vulnerability?
SSLv3 is a protocol for encrypting the connection between your browser and a website you visit so others can't see what data is sent over the connection. The vulnerability in SSLv3 would allow an attacker to break the encryption and see what data is sent over the connection. While SSLv3 is a very old protocol and hardly used today (reportedly used on less than 1% of the secure web connections, and less than 0.1% of all web connections), as it's been superseded by the TLS protocol, an attacker could trick your browser and the website you visit to downgrade from using the modern and secure TLS to using the old and vulnerable SSLv3.

How will the vulnerability be patched?
In short, the vulnerability in SSLv3 itself won't be patched but instead major browsers (like linked below) will drop support for SSLv3 in their next releases. This will effectively remove the vulnerability for users of those browsers. To mitigate attacks till those next releases arrive, a patch to OpenSSL will be done that dramatically reduces the risks from this vulnerability (see update above; browsers and websites that support TLS can then no longer be tricker by an attacker to use the old and vulnerable SSLv3).

Because the next releases of those browser aren't arriving until weeks from now, various websites are already removing support for SSLv3 from their servers. Both the browser and the website need to support SSLv3 for the vulnerability to affect you, so websites removing this support removes the vulnerability for all their users immediately. As browsers are removing SSLv3 support, websites will have to follow anyway or else visitors to those websites won't be able to use an encrypted connection.

What can/should I do now?
For major browsers you can yourself disable the support for SSLv3, ahead of the next releases of those browser. I recommend that you do so. Doing so will effectively remove the vulnerability for your browser immediately.

  • Firefox: Install Mozilla's SSL Version Control add-on. This will immediately drop support for SSLv3. Restart your browser afterwards to close any currently open SSL connections. With the release of Firefox 34 at end of November, you can remove this add-on again as Firefox 34 will not include SSLv3 support. (Alternatively, you can go to about:config and set the value of security.tls.version.min to 1. You don't need to install the add-on then.)
  • Chromium: You need to edit the launcher for Chromium to include the option "--ssl-version-min=tls1", which would disable SSLv3 support. You can do so by running the following command from the terminal:
    sudo sed -ri 's/^(Exec=[^ ]*)(.*)$/\1 --ssl-version-min=tls1\2/' /usr/share/applications/chromium-browser.desktop
  • Google Chrome: You need to edit the launcher for Google Chrome to include the option "--ssl-version-min=tls1", which would disable SSLv3 support. You can do so by running the following command from the terminal:
    sudo sed -ri 's/^(Exec=[^ ]*)(.*)$/\1 --ssl-version-min=tls1\2/' /usr/share/applications/google-chrome.desktop
  • Epiphany (Gnome Web): Doesn't appear to be vulnerable, no need to do anything.
Programs with embedded browsers, like email clients, may need to have SSLv3 support removed also.

  • Thunderbird: Click on the application button (icon on the right side of the menu bar) and click on Preferences in the menu that appears. Choose Advanced in the menu bar and on the General tab click on Config Editor. Search for security.tls.version.min and set its value to 1. Restart Thunderbird afterwards to close any currently open SSL connections.
How can I test whether my browser is (still) vulnerable?
You can test whether your browser is vulnerable by visiting https://www.poodletest.com/. Note that browsers may cache this website, so if you have visited it before applying one of the above changes please upon visiting the website again (and seeing the same result as before) press Ctrl+F5 to force the browser to bypass the cache.

Where can I find more information?
You can read Google's announcement for detailed information on the vulnerability and the plans for Google Chrome, or Mozilla's announcement for the plans for Firefox. There are many other websites giving information on this vulnerability. Various websites have already responded to the vulnerability and have disabled SSLv3 on their servers (like CloudFlare and FastMail).

Does this vulnerability only affect Linux?
No, this is a vulnerability in a common Internet protocol—it's not a programming mistake but a mistake in the design of the protocol. It affects users of all operating systems. So if you are also using other operating systems (including mobile), test your browsers there also and if needed take steps to disable SSLv3 support. There may be differences across operating systems; for example Firefox on Windows 7 Enterprise appears to not be vulnerable.

What if I'm running a server?
Perhaps needless to say, but if you are running a server and are using HTTPS (encrypted web connections) you should take steps to disable SSLv3 support on your server. Note that SSH isn't affected.
Last edited by xenopeek on Tue Nov 11, 2014 3:58 am, edited 6 times in total.
Reason: Updates from Canonical Blog; updates for LMDE.
Image

cb474
Level 3
Level 3
Posts: 116
Joined: Thu Dec 11, 2008 9:01 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Postby cb474 » Wed Oct 15, 2014 6:04 am

For Chromium I found I had to edit the properties of the shortcut in the MintMenu and add "--ssl-version-min=tls1." Simply editing the .desktop file did not fix the problem.

But even after I'd modified the shortcut in MintMenu and the .desktop file, if I launch chromium with Alt+F2, from a terminal, or with Gnome-Do (I'm using the Mate desktop) Chromium remains vulnerable. The setting only applies if Iaunch Chromium from the MintMenu.

Any suggestions about how to get this to apply to Chromium more universally?

Thanks.

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Postby xenopeek » Wed Oct 15, 2014 6:13 am

cb474, I had a mistake in the name of the .desktop file for Chromium on Linux Mint. If you used my command, it wouldn't have done anything. Steps for Chromium are, as noted above:
  • Change the .desktop file with above command (it's been corrected);
  • Log out or reboot;
  • Start Chromium again and visit the poodletest website, and if you visited that website before in Chromium force a reload bypassing the cache with Ctrl+F5.
With those steps on Linux Mint 17 MATE, Chromium passes the poodletest.
Image

cb474
Level 3
Level 3
Posts: 116
Joined: Thu Dec 11, 2008 9:01 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Postby cb474 » Wed Oct 15, 2014 7:17 pm

xenopeek,

Thanks for the suggestion.

I edited the .desktop file manually, I didn't use the command line instructions you provide, so that wasn't the problem.

If I launch Chromium directly from the .desktop file, it works correctly to block SSLv3. And launching it from MintMenu works fine after I edited the shortcut properties in MintMenu. But launching Chromium from Alt+F2, Gnome-Do, or the Terminal, does not properly block SSLv3. Restarting my system made no difference.

I guess when Chromium is launched in one of those latter ways it does not invoke the .desktop file? Even if I launch Chromium from the terminal using the command "chromium --ssl-version-min=tls1 %U" it doesn't block SSLv3.

Any other thoughts?

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Postby xenopeek » Thu Oct 16, 2014 1:13 am

cb474 wrote:I guess when Chromium is launched in one of those latter ways it does not invoke the .desktop file?

Correct, if you yourself directly invoke the chromium command--and not use the launcher in your menu which through the edit of the .desktop file invokes the chromium command with --ssl-version-min=tls1 option--then you have to call it with the option yourself. Command would be:

Code: Select all

chromium --ssl-version-min=tls1

No %U (doesn't make sense outside of .desktop file). Doing that command passes poodletest here. Did you hit Ctrl+F5?
Image

cb474
Level 3
Level 3
Posts: 116
Joined: Thu Dec 11, 2008 9:01 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Postby cb474 » Thu Oct 16, 2014 4:40 am

xenopeek wrote:
cb474 wrote:I guess when Chromium is launched in one of those latter ways it does not invoke the .desktop file?

Correct, if you yourself directly invoke the chromium command--and not use the launcher in your menu which through the edit of the .desktop file invokes the chromium command with --ssl-version-min=tls1 option--then you have to call it with the option yourself. Command would be:

Code: Select all

chromium --ssl-version-min=tls1

No %U (doesn't make sense outside of .desktop file). Doing that command passes poodletest here. Did you hit Ctrl+F5?

Okay, thanks for confirming.

Gnome-Do is now giving me the behavior I want.

But curiously, if I launch Chromium from Alt+F2 or the terminal, with "chromium --ssl-version-min=tls1," poodletest.com still says Chromium is vulnerable.

It's frustating to have to keep track of how I launch Chromium. Hopefully the premanent fix will come soon.

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Postby xenopeek » Thu Oct 16, 2014 5:52 am

cb474 wrote:It's frustating to have to keep track of how I launch Chromium.

Well, who uses the menu launcher (perhaps also a favorite?), Gnome-Do, Alt+F2, and the terminal to start one application :) I think most users just use just one. Anyway, if you need a "launcher" that works on Alt+F2 and the terminal you can. Create the folder bin in your home folder if it doesn't exist yet. Create the file called chromium (or if you want chromium-browser) there and put this in it:

Code: Select all

#!/bin/sh
/usr/bin/chromium-browser --ssl-version-min=tls1

Save the file and right-click it and in properties set to allow executing it. Log out or reboot to activate the change (bin folder will be added to your path through .profile upon next login). Next time you type the command "chromium" (or "chromium-browser" if you went with the alternative) in the terminal or Alt+F2, it launches with the option added.
Image

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby xenopeek » Thu Oct 16, 2014 6:59 am

UPDATE:
    For users of Linux Mint 13 and Linux Mint 17 an update to OpenSSL will be shortly available. Details on Canonical Blog. The update to OpenSSL will make it so that a browser and a website will always use the latest encryption protocol they both support (known as "TLS_FALLBACK_SCSV"). This makes it so an attacker can't trick your browser and the website you visit to downgrade from using the modern and secure TLS to using the old and vulnerable SSLv3.

    There are still websites that don't support TLS. As shared on the Canonical Blog this vulnerability needs action from the entire Internet, both browsers and websites need to be updated to remove support for SSLv3.
Image

User avatar
Rabbit_Peril
Level 1
Level 1
Posts: 3
Joined: Mon Oct 13, 2014 10:10 pm

Re: SSL 3.0 Debian Chromium Fix- no Fuss GUI fix

Postby Rabbit_Peril » Thu Oct 16, 2014 10:32 am

Simply open /usr/share/applications as root with your favorite file manager, scroll down until you find Chromium Web Browser. Right click and select "Open with..." Choose or type in gedit or your favorite text editor. Make your Exec line look like this:

Exec=/usr/bin/chromium --ssl-version-min=tls1 %U

Then save and then your launchers will have sslv3 disabled.

You can double check by right clicking your launchers and selecting edit and look to see if "--ssl-version-min=tls1" is in the command line.

Oh, then clear browser cache. I logged out and in again but I don't know if that is really necessary.

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby xenopeek » Thu Oct 16, 2014 1:14 pm

Rabbit_Peril, you missed cb474's point; he's also starting applications from Alt+F2 and from the terminal. That way commands are invoked directly, not using .desktop files.
Image

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby xenopeek » Thu Oct 16, 2014 3:24 pm

LMDE users can get openssl 1.0.1j-1 from Debian unstable (Sid):

1. add unstable repo && apt update
2. apt install -t unstable libssl1.0.0 openssl
3. remove unstable repo

When it'll migrate to Testing, we can ask Clem to add it to Mint repo.

Changelog: http://metadata.ftp-master.debian.org/c ... _changelog
Image

cb474
Level 3
Level 3
Posts: 116
Joined: Thu Dec 11, 2008 9:01 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby cb474 » Thu Oct 16, 2014 10:42 pm

xenopeek,

Thanks for the further help. Yeah, usually I just launch things with Gnome-Do, but occasionally I use some other method, for whatever reason, and just don't want to forget that this will end up not disabling SSLv3.

When you say ceate the folder "bin" in my home directory, do you mean in /home or in /home/user? Can I create it as a hidden folder? Thanks

CB

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby xenopeek » Fri Oct 17, 2014 1:56 am

cb474 wrote:When you say ceate the folder "bin" in my home directory, do you mean in /home or in /home/user? Can I create it as a hidden folder?

I meant create the folder /home/user/bin (e.g., /home/cb474/bin). If you want to create it as a hidden folder (/home/user/.bin) you can, but then edit your .profile file and change all the code to make it detect presence of .bin and add that to the PATH instead of bin.
Image

fu-sen
Level 1
Level 1
Posts: 37
Joined: Thu Mar 06, 2014 4:16 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby fu-sen » Fri Oct 17, 2014 2:29 am

Chromium (and Google Chrome) has a method to include an option in a file.

Please open file /etc/chromium-browser/default(17,13), /etc/chromium/default(LMDE)
or /etc/google-chrome/default in root authority,
and add --ssl-version-min=tls1 to the line of CHROMIUM_FLAGS:

Code: Select all

CHROMIUM_FLAGS="--disable-new-tab-first-run --enable-user-scripts"
to:

Code: Select all

CHROMIUM_FLAGS="--disable-new-tab-first-run --enable-user-scripts --ssl-version-min=tls1"

Addition: Linux Mint 17 cannot use this procedure. Application concerned overwrites with default file.

cb474
Level 3
Level 3
Posts: 116
Joined: Thu Dec 11, 2008 9:01 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby cb474 » Sat Oct 18, 2014 9:45 pm

xenopeek wrote:
cb474 wrote:When you say ceate the folder "bin" in my home directory, do you mean in /home or in /home/user? Can I create it as a hidden folder?

I meant create the folder /home/user/bin (e.g., /home/cb474/bin). If you want to create it as a hidden folder (/home/user/.bin) you can, but then edit your .profile file and change all the code to make it detect presence of .bin and add that to the PATH instead of bin.

Okay, thanks xenopeek.

zolar1
Level 4
Level 4
Posts: 259
Joined: Fri Oct 05, 2012 9:07 pm

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby zolar1 » Mon Oct 20, 2014 3:26 pm

I use Opera. Does this affect that as well and if so, how to fix the problem?
Freedom isn't free. It has a HIGH price.

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby xenopeek » Mon Oct 20, 2014 3:53 pm

Have you tested it?
xenopeek wrote:You can test whether your browser is vulnerable by visiting https://www.poodletest.com/.

Do you have Opera 12, or do you have Opera 26 beta? (You can get the beta version for Linux from the blog: http://blogs.opera.com/desktop/) Linux is not a priority for Opera. I'd personally hesitate to use it if you need a secure browser on Linux. Using Opera 26 beta might be a better choice; it is at least maintained code.
Image

User avatar
killer de bug
Level 14
Level 14
Posts: 5277
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby killer de bug » Tue Oct 21, 2014 2:59 pm

The fix is in the official repo of LMDE now.
The first post can be updated :wink:
Image
If it ain't broke, fix it until it is.

User avatar
xenopeek
Level 24
Level 24
Posts: 21249
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby xenopeek » Tue Oct 21, 2014 3:04 pm

I just got that update from Clem :wink: New version of Firefox and Thunderbird have also been released for LMDE. Updated the first post here to inform LMDE update to OpenSSL is available from Update Manager directly.
Image

fu-sen
Level 1
Level 1
Posts: 37
Joined: Thu Mar 06, 2014 4:16 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Postby fu-sen » Wed Oct 22, 2014 12:36 am

I confirmed package update of openssl and libssl in LMDE.
but the delivered version is "1.0.1i-2", and this is not for correspondence.

Please be careful about Debian package having carried out update of "1.0.1j-1" on 21 Oct.

https://packages.qa.debian.org/o/openss ... 3918Z.html

Reference:
https://packages.qa.debian.org/o/openssl.html


Return to “Releases & Announcements”

Who is online

Users browsing this forum: No registered users and 4 guests