A previously discovered attack method that takes advantage of a design flaw in the Secure Socket Layer (SSL) encryption protocol works against certain implementations of the Transport Layer Security (TLS) protocol, as well.

Numerous websites are vulnerable to this Padding Oracle on Downgraded Legacy Encryption (POODLE) exploit. POODLE attacks allow cybercriminals to decrypt the contents of an encrypted session between a browser and a Web server under certain conditions.

No Workarounds

No workarounds are available for the TLS flaw that enables the attack, and the only way to address this issue is to install a patch for it. Network load-balancing products from F5 Networks, A10 Networks and potentially other vendors are vulnerable to the issue, Google security engineer Adam Langley said in a blog post Monday.

“Unfortunately, I found a number of major sites that had this problem,” Langley wrote. “I’m not sure that I’ve found every affected vendor, but now that this issue is public, any other affected products should quickly come to light.”

Both F5 and A10 have issued patches to address the problem highlighted by Langley.

Inherent Weakness

The original POODLE attack, developed by a trio of security researchers at Google earlier this year, basically takes advantage of an inherent weakness in the method the SSLv3 protocol uses to encrypt data blocks. The Google researchers showed how attackers could exploit the weakness to steal authentication cookies from an Internet user’s browser and use the credentials to access associated email, bank and other online accounts belonging to the user.

Though the TLS protocol replaced the SSLv3 standard long ago, many websites still support the older protocol for backward compatibility purposes. The POODLE attack showed how attackers could trick a Web server and a client browser into using the older, vulnerable SSLv3 standard, even if both sides supported more recent versions of the TLS protocol.

Security researchers have previously noted that the only way to mitigate the SSLv3 issue is to disable the backwards compatibility capability that allows products to roll back to the old protocol. Google’s Chrome browser and Mozilla’s Firefox have completely eliminated rollback to SSLv3 following the release of the POODLE report.

However, Langley said his research shows POODLE attacks are still possible against certain TLS implementations such as those found in F5 and A10’s products. The issue has to do with the manner in which the padding structure in TLS is checked in certain products.

“Even though TLS is very strict about how its padding is formatted, it turns out that some TLS implementations omit to check the padding structure after decryption,” Ivan Ristic, director of application security research at Qualys, Inc., explained in a blog post. “Such implementations are vulnerable to the POODLE attack, even with TLS.”

Major Websites Likely Affected by Attack

The new SSL/TLS issue likely affects some of the most popular websites in the world, considering the large installed base of F5 systems, Ristic said.

“The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute — no need to downgrade modern clients down to SSL 3 first; TLS 1.2 will do just fine,” he said.

Popular Web browsers are most likely going to be the main targets because the attacker must inject malicious JavaScript to initiate POODLE, he said.

In its patch release advisory, A10 said it was notified of the problem with its TLS implementation in early November. The company described the issue as one similar to the one in SSLv3, “where the padding is not defined as part of the protocol.”

Meanwhile, F5 listed all product versions that are vulnerable to POODLE attacks and urged customers to upgrade to product versions that are not vulnerable to the threat.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…