Spectracom - Essential Ingenuity

POODLE Vulnerability


Are Spectracom Products Vulnerable to the POODLE Bug?


Fix implementation for the SSLv3 vulnerability CVE-2014-3566 „POODLE“

Spectracom network time servers provide for a secure communication link for configuration set-up and management. This link is based on an encrypted client-server session using standard protocols which have recently been found vulnerable to a “man-in-the-middle” attack. This article will describe the products affected, specific vulnerability, analysis of the risk, and two alternatives to mitigate the risk.

Products affected
  • SecureSync
  • NetClock 9200, 9300, 9400 Series
Description of the vulnerability
The POODLE vulnerability of the SSLv3 Secure Socket Layer encryption protocol allows for a man-in-the-middle attack. POODLE stands for Padding Oracle On Downgraded Legacy Encryption: An attacker between client and server will interfere with the handshake process that tries to establish the highest possible common protocol (typically, TLS 1.x) and thus—if successful—will cause the encryption protocol between client and server to be downgraded unnecessarily to SSL 3.0. The attacker can then take advantage of the SSLv3 weaknesses by injecting and/or deciphering code, i.e. hijacking the session or revealing encrypted data.

Analysis of risk
Spectracom products are usually deployed on secure networks where the risk of a man-in-the-middle attack is highly unlikely. If you have concerns you can set-up network access controls to limit management access to specific addresses or subnets that do not pose a risk or take the recommended corrective measures below. In all cases these actions will not affect network time server operation.

Corrective action
In early November 2014 Spectracom will release the 3.6.7 patch to remove support for SSL 3.0 to remove the vulnerability for NetClock 9200/9300 series. This software is available for download here: http://www.spectracomcorp.com/Support/HowCanWeHelpYou/Software/tabid/61/Default.aspx#NetClock

The patch for NetClock 9400 series and SecureSync is scheduled to be released around January 2015. Until then, we encourage customers who are concerned about the POODLE vulnerability to disable SSLv3 manually in their Web browsers, in order to make any attempt by a man-in-the-middle to downgrade the encryption protocol futile.

Depending on which browser you are using, follow these instructions:

Google Chrome©:
  1. Right-click on the Chrome program icon in your Taskbar.
  2. Click Properties.
  3. In the Properties window for the Google Chrome shortcut, click inside the Target box, and scroll all the way to the very right end.
User-added image
  1. Enter " --ssl-verson-min=tls1“ (Note the SPACE before the two hyphens)
  2. Click OK.
  3. If asked for administrator rights, click Continue.
  4. Restart Chrome.
Note: Instructions for non-Windows versions of Chrome can be found on the Internet by searching for entries like “Protect browser against POODLE”, for example.
Mozilla Firefox©:
  1. Open about:config, and find security.tls.version.min. Set the value to “1”.
  2. Close the browser, and restart it, in order to close any possible open SSL connections.
User-added image
Note: The next Firefox release, scheduled for 25-November-2014, will have SSLv3 disabled by default, and hence will no longer require any modifications.

Microsoft Internet Explorer©:
  1. From the Tools drop-down menu, click Internet Options.
  2. Click the Advanced tab.
  3. Uncheck the check box Use SSL 3.0.
User-added image
  1. Click OK.

Note: As mentioned above under "Analysis of risk", an alternative approach to deactivating SSLv3 on an application level in your browser is to restrict network access. This can be done through the SecureSync, or NetClock 9400 Web UI: See Instruction Manual, Chapter "Configuring Network Access Rules". Yet another option is to block SSLv3 on a network level, using a firewall. Contact your network system administrator for more information.

-end of document-


Was this information helpful?

 Yes  No