POODLE, SSLv3 and CFEngine

Posted by Thomas Ryd
October 20, 2014

This post clarifies whether CFEngine is affected by the newly published vulnerability in the SSL protocol,POODLE. CFEngine core functionality, i.e. agent-to-hub communication is not affected in any way by the POODLE vulnerability. If the protocol version is set to “classic” or “1”, or is just left to be the default, then all communication happens using the legacy protocol which has nothing to do with SSL. If it is set to “latest” or “2”, then TLS version 1.0 is used, which does *not* suffer from the specific flaw in SSL v3.0 that enables POODLE. So the vulnerability is not applicable in any case. CFEngine Enterprise provides the Mission Portal web interface, served via the Apache web server at port 443. Unfortunately the default package installation uses default Apache settings, and httpd currently accepts connections using SSL v3.0. To remedy the problem, the following line should be edited in

/var/cfengine/httpd/conf/original/extra/httpd-ssl.conf

from

SSLProtocol all -SSLv2

to

SSLProtocol all -SSLv2 -SSLv3

This is regarded a low risk vulnerability, hard to exploit, especially inside private subnets. In order for an attacker to steal a cookie, he must maliciously steal the victim’s browsing session (e.g. by luring him into visiting a malicious website) and generate thousands of connections to the Mission Portal, while simultaneously intercepting and manipulating all of victim’s network data. SSL v3.0 will be disabled in the next version of CFEngine Enterprise Hub.