Security Advisory: Poodle Exploit

Security Advisory: Poodle SSL Vulnerability

In October 2014, news broke of an exploit involving the TLS protocol. The published exploit, dubbed 'Poodle' is also known by the identifications CVE-2014-3566 or VU#577193. TLS is used for encrypted web sites (e.g. banking - sites prefixed with 'HTTPS'). TLS is a more recent version of the original SSL protocol.

The Poodle exploit itself takes advantage of fallback mechanisms in TLS implementations, but ultimately the 'vulnerability' is that the original SSL V3 protocol is nowadays considered insufficiently secure.

In order to administer a Poodle attack, a hacker must conduct a man in the middle attack - i.e. have access to your data stream, as opposed to being a remote/indirect hack. This may be possible, for example, by running a rogue public access point through which the victim runs a vulnerable session/connection.

DrayTek Products

No DrayTek hardware products are affected by Poodle.

The above information, however, must be taken in context. Poodle is a mechanism which allows devices which support TLS to be tricked into falling back from TLS to SSL encryption. It's a flaw in the design of the protocol. Poodle itself does not expose any data; it is SSL that is considered to be use insufficiently strong encryption these days. Therefore the use of TLS is recommended wherever possible.

Most current and new DrayTek products use TLS instead of SSL3 - if you are using a new product or recent firmware (see below), we no longer support SSL3 and only support TLS.

Depending on the age of your product, you may need to upgrade your firmware. The following list confirms the firmware version (or later) that you should be running in order to support TLS and no longer permit SSL:

If you are running a much older product which is no longer in development and it only supports SSL3 then it's not vulnerable to Poodle as such but it's using a protocol which has been superceded by the newer more secure TLS method.

DrayTek ACS-SI Management Platform

DrayTek ACS-SI is a management platform for estates of DrayTek routers, used mostly by dealers and enterprise customers. Whereas with CPE (routers), SSL3 can be removed, ACS-SI still has to support both SSL3 to allow for the management of older CPE which do not support TLS. If all of your managed routers support TLS, you can (and should) disable SSL3 in ACS-SI (option available in software version 1.1.6 and later).

Advice Regarding other Services / Products (non-DrayTek)

You should check equivalent statements/advisories from the providers of all of your other networking hardware vendors, servers, PCs, web service providers and ISPs and then follow the advice of each of them regarding any necessary precautions or updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.