SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics. Do not add support questions to threads here, use the appropriate support forum instead.
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by xenopeek »

News hitting the web today is that there is a vulnerability in SSL protocol version 3.0 (SSLv3), dubbed "POODLE". This post will provide you with a summary of need-to-know information and the Linux Mint team will update this post over time as needed.

UPDATE for Linux Mint 13 and 17:
  • For users of Linux Mint 13 and Linux Mint 17 an update to OpenSSL is available. If you have applied level 3 updates from Update Manager, you'll already have it. Details on Canonical Blog. The update to OpenSSL will make it so that a browser and a website will always use the latest encryption protocol they both support (known as "TLS_FALLBACK_SCSV"). This makes it so an attacker can't trick your browser and the website you visit to downgrade from using the modern and secure TLS to using the old and vulnerable SSLv3.

    There are still websites that don't support TLS. As shared on the Canonical Blog this vulnerability needs action from the entire Internet, both browsers and websites need to be updated to remove support for SSLv3.
UPDATE for LMDE:
  • The above described update to OpenSSL is also available for LMDE users through Update Manager.
What is the vulnerability?
SSLv3 is a protocol for encrypting the connection between your browser and a website you visit so others can't see what data is sent over the connection. The vulnerability in SSLv3 would allow an attacker to break the encryption and see what data is sent over the connection. While SSLv3 is a very old protocol and hardly used today (reportedly used on less than 1% of the secure web connections, and less than 0.1% of all web connections), as it's been superseded by the TLS protocol, an attacker could trick your browser and the website you visit to downgrade from using the modern and secure TLS to using the old and vulnerable SSLv3.

How will the vulnerability be patched?
In short, the vulnerability in SSLv3 itself won't be patched but instead major browsers (like linked below) will drop support for SSLv3 in their next releases. This will effectively remove the vulnerability for users of those browsers. To mitigate attacks till those next releases arrive, a patch to OpenSSL will be done that dramatically reduces the risks from this vulnerability (see update above; browsers and websites that support TLS can then no longer be tricker by an attacker to use the old and vulnerable SSLv3).

Because the next releases of those browser aren't arriving until weeks from now, various websites are already removing support for SSLv3 from their servers. Both the browser and the website need to support SSLv3 for the vulnerability to affect you, so websites removing this support removes the vulnerability for all their users immediately. As browsers are removing SSLv3 support, websites will have to follow anyway or else visitors to those websites won't be able to use an encrypted connection.

What can/should I do now?
For major browsers you can yourself disable the support for SSLv3, ahead of the next releases of those browser. I recommend that you do so. Doing so will effectively remove the vulnerability for your browser immediately.
  • Firefox: Install Mozilla's SSL Version Control add-on. This will immediately drop support for SSLv3. Restart your browser afterwards to close any currently open SSL connections. With the release of Firefox 34 at end of November, you can remove this add-on again as Firefox 34 will not include SSLv3 support. (Alternatively, you can go to about:config and set the value of security.tls.version.min to 1. You don't need to install the add-on then.)
  • Chromium: You need to edit the launcher for Chromium to include the option "--ssl-version-min=tls1", which would disable SSLv3 support. You can do so by running the following command from the terminal:
    sudo sed -ri 's/^(Exec=[^ ]*)(.*)$/\1 --ssl-version-min=tls1\2/' /usr/share/applications/chromium-browser.desktop
  • Google Chrome: You need to edit the launcher for Google Chrome to include the option "--ssl-version-min=tls1", which would disable SSLv3 support. You can do so by running the following command from the terminal:
    sudo sed -ri 's/^(Exec=[^ ]*)(.*)$/\1 --ssl-version-min=tls1\2/' /usr/share/applications/google-chrome.desktop
  • Epiphany (Gnome Web): Doesn't appear to be vulnerable, no need to do anything.
Programs with embedded browsers, like email clients, may need to have SSLv3 support removed also.
  • Thunderbird: Click on the application button (icon on the right side of the menu bar) and click on Preferences in the menu that appears. Choose Advanced in the menu bar and on the General tab click on Config Editor. Search for security.tls.version.min and set its value to 1. Restart Thunderbird afterwards to close any currently open SSL connections.
How can I test whether my browser is (still) vulnerable?
You can test whether your browser is vulnerable by visiting https://www.poodletest.com/. Note that browsers may cache this website, so if you have visited it before applying one of the above changes please upon visiting the website again (and seeing the same result as before) press Ctrl+F5 to force the browser to bypass the cache.

Where can I find more information?
You can read Google's announcement for detailed information on the vulnerability and the plans for Google Chrome, or Mozilla's announcement for the plans for Firefox. There are many other websites giving information on this vulnerability. Various websites have already responded to the vulnerability and have disabled SSLv3 on their servers (like CloudFlare and FastMail).

Does this vulnerability only affect Linux?
No, this is a vulnerability in a common Internet protocol—it's not a programming mistake but a mistake in the design of the protocol. It affects users of all operating systems. So if you are also using other operating systems (including mobile), test your browsers there also and if needed take steps to disable SSLv3 support. There may be differences across operating systems; for example Firefox on Windows 7 Enterprise appears to not be vulnerable.

What if I'm running a server?
Perhaps needless to say, but if you are running a server and are using HTTPS (encrypted web connections) you should take steps to disable SSLv3 support on your server. Note that SSH isn't affected.
Last edited by xenopeek on Tue Nov 11, 2014 3:58 am, edited 6 times in total.
Reason: Updates from Canonical Blog; updates for LMDE.
Image
cb474

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Post by cb474 »

For Chromium I found I had to edit the properties of the shortcut in the MintMenu and add "--ssl-version-min=tls1." Simply editing the .desktop file did not fix the problem.

But even after I'd modified the shortcut in MintMenu and the .desktop file, if I launch chromium with Alt+F2, from a terminal, or with Gnome-Do (I'm using the Mate desktop) Chromium remains vulnerable. The setting only applies if Iaunch Chromium from the MintMenu.

Any suggestions about how to get this to apply to Chromium more universally?

Thanks.
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Post by xenopeek »

cb474, I had a mistake in the name of the .desktop file for Chromium on Linux Mint. If you used my command, it wouldn't have done anything. Steps for Chromium are, as noted above:
  • Change the .desktop file with above command (it's been corrected);
  • Log out or reboot;
  • Start Chromium again and visit the poodletest website, and if you visited that website before in Chromium force a reload bypassing the cache with Ctrl+F5.
With those steps on Linux Mint 17 MATE, Chromium passes the poodletest.
Image
cb474

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Post by cb474 »

xenopeek,

Thanks for the suggestion.

I edited the .desktop file manually, I didn't use the command line instructions you provide, so that wasn't the problem.

If I launch Chromium directly from the .desktop file, it works correctly to block SSLv3. And launching it from MintMenu works fine after I edited the shortcut properties in MintMenu. But launching Chromium from Alt+F2, Gnome-Do, or the Terminal, does not properly block SSLv3. Restarting my system made no difference.

I guess when Chromium is launched in one of those latter ways it does not invoke the .desktop file? Even if I launch Chromium from the terminal using the command "chromium --ssl-version-min=tls1 %U" it doesn't block SSLv3.

Any other thoughts?
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Post by xenopeek »

cb474 wrote:I guess when Chromium is launched in one of those latter ways it does not invoke the .desktop file?
Correct, if you yourself directly invoke the chromium command--and not use the launcher in your menu which through the edit of the .desktop file invokes the chromium command with --ssl-version-min=tls1 option--then you have to call it with the option yourself. Command would be:

Code: Select all

chromium --ssl-version-min=tls1
No %U (doesn't make sense outside of .desktop file). Doing that command passes poodletest here. Did you hit Ctrl+F5?
Image
cb474

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Post by cb474 »

xenopeek wrote:
cb474 wrote:I guess when Chromium is launched in one of those latter ways it does not invoke the .desktop file?
Correct, if you yourself directly invoke the chromium command--and not use the launcher in your menu which through the edit of the .desktop file invokes the chromium command with --ssl-version-min=tls1 option--then you have to call it with the option yourself. Command would be:

Code: Select all

chromium --ssl-version-min=tls1
No %U (doesn't make sense outside of .desktop file). Doing that command passes poodletest here. Did you hit Ctrl+F5?
Okay, thanks for confirming.

Gnome-Do is now giving me the behavior I want.

But curiously, if I launch Chromium from Alt+F2 or the terminal, with "chromium --ssl-version-min=tls1," poodletest.com still says Chromium is vulnerable.

It's frustating to have to keep track of how I launch Chromium. Hopefully the premanent fix will come soon.
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE"

Post by xenopeek »

cb474 wrote:It's frustating to have to keep track of how I launch Chromium.
Well, who uses the menu launcher (perhaps also a favorite?), Gnome-Do, Alt+F2, and the terminal to start one application :) I think most users just use just one. Anyway, if you need a "launcher" that works on Alt+F2 and the terminal you can. Create the folder bin in your home folder if it doesn't exist yet. Create the file called chromium (or if you want chromium-browser) there and put this in it:

Code: Select all

#!/bin/sh
/usr/bin/chromium-browser --ssl-version-min=tls1
Save the file and right-click it and in properties set to allow executing it. Log out or reboot to activate the change (bin folder will be added to your path through .profile upon next login). Next time you type the command "chromium" (or "chromium-browser" if you went with the alternative) in the terminal or Alt+F2, it launches with the option added.
Image
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by xenopeek »

UPDATE:
  • For users of Linux Mint 13 and Linux Mint 17 an update to OpenSSL will be shortly available. Details on Canonical Blog. The update to OpenSSL will make it so that a browser and a website will always use the latest encryption protocol they both support (known as "TLS_FALLBACK_SCSV"). This makes it so an attacker can't trick your browser and the website you visit to downgrade from using the modern and secure TLS to using the old and vulnerable SSLv3.

    There are still websites that don't support TLS. As shared on the Canonical Blog this vulnerability needs action from the entire Internet, both browsers and websites need to be updated to remove support for SSLv3.
Image
Rabbit_Peril

Re: SSL 3.0 Debian Chromium Fix- no Fuss GUI fix

Post by Rabbit_Peril »

Simply open /usr/share/applications as root with your favorite file manager, scroll down until you find Chromium Web Browser. Right click and select "Open with..." Choose or type in gedit or your favorite text editor. Make your Exec line look like this:

Exec=/usr/bin/chromium --ssl-version-min=tls1 %U

Then save and then your launchers will have sslv3 disabled.

You can double check by right clicking your launchers and selecting edit and look to see if "--ssl-version-min=tls1" is in the command line.

Oh, then clear browser cache. I logged out and in again but I don't know if that is really necessary.
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by xenopeek »

Rabbit_Peril, you missed cb474's point; he's also starting applications from Alt+F2 and from the terminal. That way commands are invoked directly, not using .desktop files.
Image
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by xenopeek »

LMDE users can get openssl 1.0.1j-1 from Debian unstable (Sid):

1. add unstable repo && apt update
2. apt install -t unstable libssl1.0.0 openssl
3. remove unstable repo

When it'll migrate to Testing, we can ask Clem to add it to Mint repo.

Changelog: http://metadata.ftp-master.debian.org/c ... _changelog
Image
cb474

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by cb474 »

xenopeek,

Thanks for the further help. Yeah, usually I just launch things with Gnome-Do, but occasionally I use some other method, for whatever reason, and just don't want to forget that this will end up not disabling SSLv3.

When you say ceate the folder "bin" in my home directory, do you mean in /home or in /home/user? Can I create it as a hidden folder? Thanks

CB
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by xenopeek »

cb474 wrote:When you say ceate the folder "bin" in my home directory, do you mean in /home or in /home/user? Can I create it as a hidden folder?
I meant create the folder /home/user/bin (e.g., /home/cb474/bin). If you want to create it as a hidden folder (/home/user/.bin) you can, but then edit your .profile file and change all the code to make it detect presence of .bin and add that to the PATH instead of bin.
Image
fu-sen

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by fu-sen »

Chromium (and Google Chrome) has a method to include an option in a file.

Please open file /etc/chromium-browser/default(17,13), /etc/chromium/default(LMDE)
or /etc/google-chrome/default in root authority,
and add --ssl-version-min=tls1 to the line of CHROMIUM_FLAGS:

Code: Select all

CHROMIUM_FLAGS="--disable-new-tab-first-run --enable-user-scripts"
to:

Code: Select all

CHROMIUM_FLAGS="--disable-new-tab-first-run --enable-user-scripts --ssl-version-min=tls1"
Addition: Linux Mint 17 cannot use this procedure. Application concerned overwrites with default file.
cb474

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by cb474 »

xenopeek wrote:
cb474 wrote:When you say ceate the folder "bin" in my home directory, do you mean in /home or in /home/user? Can I create it as a hidden folder?
I meant create the folder /home/user/bin (e.g., /home/cb474/bin). If you want to create it as a hidden folder (/home/user/.bin) you can, but then edit your .profile file and change all the code to make it detect presence of .bin and add that to the PATH instead of bin.
Okay, thanks xenopeek.
zolar1

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by zolar1 »

I use Opera. Does this affect that as well and if so, how to fix the problem?
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by xenopeek »

Have you tested it?
xenopeek wrote:You can test whether your browser is vulnerable by visiting https://www.poodletest.com/.
Do you have Opera 12, or do you have Opera 26 beta? (You can get the beta version for Linux from the blog: http://blogs.opera.com/desktop/) Linux is not a priority for Opera. I'd personally hesitate to use it if you need a secure browser on Linux. Using Opera 26 beta might be a better choice; it is at least maintained code.
Image
killer de bug

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by killer de bug »

The fix is in the official repo of LMDE now.
The first post can be updated :wink:
User avatar
xenopeek
Level 25
Level 25
Posts: 30479
Joined: Wed Jul 06, 2011 3:58 am

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by xenopeek »

I just got that update from Clem :wink: New version of Firefox and Thunderbird have also been released for LMDE. Updated the first post here to inform LMDE update to OpenSSL is available from Update Manager directly.
Image
fu-sen

Re: SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Post by fu-sen »

I confirmed package update of openssl and libssl in LMDE.
but the delivered version is "1.0.1i-2", and this is not for correspondence.

Please be careful about Debian package having carried out update of "1.0.1j-1" on 21 Oct.

https://packages.qa.debian.org/o/openss ... 3918Z.html

Reference:
https://packages.qa.debian.org/o/openssl.html
Post Reply

Return to “Releases & Announcements”