ManageOps Cloud NOT Vulnerable to POODLE Attack


In this context, “POODLE” stands for “Padding Oracle On Downgraded Legacy Encryption,” and refers to a specific way to attack SSL-encrypted communications. SSL v3.0 is an older encryption standard that has a known design vulnerability. Although SSL v3.0 has largely been replaced by TLS encryption, which does not have the same vulnerability, many servers and other systems that accept SSL connections remain backward-compatible, and will fall back to SSL v3.0 if a TLS connection fails.

To exploit this vulnerability, the attacker must be able to control portions of the client side of the SSL connection, and must have visibility of the resulting encrypted text. The most common way to gain this access is via a “Man-in-the-Middle” attack in which the attacker inserts himself into the connection between the two parties, and relays messages between them while making them believe they are talking directly to each other over a private connection. While it is not trivial to gain this level of access, it is possible, particularly in access scenarios such as public WiFi.

If the attacker is able to gain “Man-in-the-Middle” access, it is possible to create a condition under which the connection will fall back to SSL v3.0, unless that fall-back option has been disabled. The attacker can then proceed to exploit the vulnerability.

All SSL connections into the ManageOps hosting infrastructure are terminated by Citrix NetScaler VPX virtual appliances. Citrix has documented the configuration settings required to disable NetScaler fall-back to SSL v3.0, and our engineering team has verified that these settings are applied on all of the NetScalers in our infrastructure.