Wind River Security Alert for Wind River Linux SSLv3 POODLE vulnerability (CVE-2014-3566 & CVE-2014-3568)
/folk/wrs/release/mfgrequest -m lx -t 12sp-50120 -lx 04 -d /net/ala-lpgnas2/vol/vol1/builds/LB34_5.0.1_RCPL0020 -e lpd-eng-buildreports@windriver.com,yue.tao@windriver.com --cdmfg --restart
Wind River Security Alert for Wind River Linux SSLv3 POODLE vulnerability (CVE-2014-3566)
This alert confirms that the following Wind River Linux releases ARE SUSCEPTIBLE to the serious SSLv3 POODLE vulnerability (CVE-2014-3566). The vulnerabilities affect Wind River Linux 2.0.x/3.0.x/4.3.0.x/5.0.1.x/6.0.0.x.
Wind River is committed to delivering secure, reliable products and offerings. As part of this commitment, the Wind River Linux Security Response Team is engaged in constant and active threat monitoring, rapid assessment and threat prioritization, response and proactive customer contact, and expedited remediation.
Wind River is closely monitoring the dynamic situation resulting from this issue and will provide additional information (and fixes as required) as the situation changes.
Vulnerability description:
=========================
SSL is designed to secure the transport level on the internet. For 'the web' aka HTTP you'll know this as HTTPS, but it's also used for other application protocols. SSLv2 was the first widely used transport security protocol but was found insecure not long after. Successors SSLv3 and TLSv1 are widely supported now. TLSv1.1 and TLSv1.2 are newer and gaining a lot of support too. Most if not all web browsers released from 2014 have support for it.
The recent discovery by Google engineers points out that SSLv3 should not be used (like SSLv2 is deprecated a long time ago). The clients that won't be able to connect to your site/service are probably very very limited. CloudFlare announced that less than 0.09% of their visitors still rely on SSLv3.
Solution:
=========
Disable SSLv3.
If SSL 3.0 is disabled in either the client or in the server, that is completely sufficient to avoid the POODLE attack. Note well that this is not about a bug in OpenSSL -- it's a protocol issue.
How to check a service if it enables SSLv3?
$openssl s_client -connect : -ssl3
If the connection succeeds, sslv3 is enabled. If it fails, it is disabled.
How to disable SSLv3 of a service? An example, disable SSLv3 for Apache HTTPD Server:
Add the following line in Apache configuration among the other SSL directives, and restart the service.
SSLProtocol All -SSLv2 -SSLv3
Note: openssh is invulnerable of this issue
For systems that cannot easily disable SSL 3.0 support, TLS has an option when connecting to disable such downgrades automatically using the TLS_FALLBACK_SCSV option. The client can then determine if it needs to go ahead and perform a retry with a lower connection instead of it being an automated part of the TLS handshake. You need to apply fowllowing patchs for each WRLinux version to support TLS_FALLBACK_SCSV.
Server-side TLS_FALLBACK_SCSV support is automatically provided if you use the patch. Clients that do fallback connections downgrading the protocol version should use SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV) for such downgraded connections.
Apply the patch for Wind River Linux 4.3.0.x
1) The patches depend on previous alert, so please apply it at first,
https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=044099&_adf.ctrl-state=amt3ovcwm_19
2) Update 4.3 RCPL 26
3) Apply the patch
$cd /product/wrlinux-4/layers/updates/RCPL-4.3-WRL.0026/wrll-userspace
$patch -p1 < 0001-openssl-Support-TLS_FALLBACK_SCSV-4.3.patch
$patch -p1 < 0002-openssl-Add-TLS_FALLBACK_SCSV-documentation-and-move-4.3.patch
$patch -p1 < 0003-Fix-no-ssl3-configuration-option-4.3.patch
Apply the patch for Wind River Linux 5.0.1.x
1) Updating 5.0.1.19
2) configure project with .. --with-rcpl-version=0019
3) cd project/layers/oe-core
4) git am 0001-openssl-Support-TLS_FALLBACK_SCSV-5.0.1.patch
5) git am 0002-openssl-Add-TLS_FALLBACK_SCSV-documentation-and-move-5.0.1.patch
6) git am 0003-Fix-no-ssl3-configuration-option-5.0.1.patch
Apply the patch for Wind River Linux 6.0.0.x
1) Updating 6.0.0.12
2) configure project with .. --with-rcpl-version=0012
3) cd project/layers/oe-core
4) git am 0001-openssl-support-TSL_FALLBACK_SCSV-6.0.patch
5) git am 0002-openssl-Add-TLS_FALLBACK_SCSV-documentation-and-move-6.0.patch
6) git am 0003-Fix-no-ssl3-configuration-option-6.0.patch
The 2.0.x/3.0.x are End of Life (EOL), please contact Wind River Support at +1-800-872-4977 or your local Wind River representative for the Wind River Linux 2.0.x/3.0.x fix.
