Feedback
Did this article resolve your question/issue?

   

Article

POODLE Vulnerability

« Go Back

Information

 
TitlePOODLE Vulnerability
URL Namepoodle
Article Number000192263
Environment12.3
Question/Problem Description

This article discusses the POODLE vulnerability (CVE-2014-3566) and gives step-by-step instructions to resolve it.

Affected Products: MOVEit DMZ, MOVEit Mobile, MOVEit Central, WS_FTP Server, WS_FTP Web Transfer Module, WS_FTP Professional
Version: All
Platform: All
Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution
The POODLE attack involves a downgrade attack to SSL 3.0 and a subsequent attack against the SSL 3.0 protocol itself. For more information, see:

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

To protect against this attack, it is recommended that you disable SSL 3.0 for all services and clients using SSL/TLS.
 
Important Note:

Following these instructions may present compatibility problems for users on old platforms and browsers, where there is no support for TLS 1.0 or higher. It is recommended that you test these configuration changes and carefully monitor the production system after making any changes, so that you are prepared to handle any impacts.

Find your Ipswitch product(s) below for instructions and guidance on disabling SSL 3.0, or click these links to jump to those sections on the page:

MOVEit DMZ
MOVEit Mobile
MOVEit Central
WS_FTP Server
WS_FTP Server WTM or Ad Hoc Modules
WS_FTP Professional

 

MOVEit File Transfer (DMZ, Central, Xfer, Freely, Windows API's) and WS_FTP Server Web Transfer/Ad Hoc Modules

Usually, these products rely solely on Microsoft Windows to provide SSL/TLS services to the application. Therefore, disabling SSL 3.0 involves disabling it for the whole system. If the machine is not dedicated to these Ipswitch products, you may want to consider the impact of these changes on other applications running on the server.

However, in some load-balanced MOVEit configurations (i.e. Webfarm), you may be terminating SSL/TLS on your load balancer. This means that the load balancer is handling all of the transport encryption over the Internet, and then forwarding traffic internally to your MOVEit servers.

If that is the case, further remediation should be additionally performed on the load balancer. Please be aware that your load balancer may require a patch to fully remediate this attack, even if SSL 3.0 is already disabled, depending on your load balancer's vendor and model. See:

https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html
https://www.a10networks.com/support/advisories/A10-RapidResponse_CVE-2014-8730.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730

There are at least two ways of disabling SSL 3.0 on your servers to remediate the POODLE flaw.

Each method requires a reboot for the change to take effect.
 

Method 1: To disable SSL 3.0 automatically, follow these instructions:

1. Run regedit.exe and navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols

2. Right-click the Protocols key and choose Export. Save the file somewhere safe in case you need to restore your previous settings.

3. Copy the following text into a notepad file on the server:
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

4. File > Save, then select All Files from the Type drop-down, and save the file with a name like DisableSSLv3.reg making sure it has a .reg extension.

5. Double-click the reg file you just saved and click Yes to import it into the registry.
 

Method 2: To disable SSL 3.0 manually, follow these instructions:

1. Run regedit.exe and navigate to the following registry key:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols

2. Right-click the Protocols key and choose Export. Save the file somewhere safe in case you need to restore the settings or need to try making the changes again.

3. If SSL 3.0 doesn't exist as a sub-key under Protocols, right-click on the Protocols key, and choose New -> Key. Name the new key SSL 3.0 making sure there is a space between the L and the 3.

4. If Server doesn't exist as a sub-key under SSL 3.0, right-click on the SSL 3.0 key and again choose New -> Key. Name the new key Server

5. If Client doesn't exist as a sub-key under SSL 3.0, right-click on the SSL 3.0 key and again choose New -> Key. Name the new key Client

Repeat the remaining steps for both Server and Client keys:

6. If DisabledByDefault doesn't exist as a value under the key, right-click the key and choose New > DWORD (32-bit) Value and name the value DisabledByDefault

7. Double-click the DisabledByDefault value and set the Value data field to 1

8. If Enabled doesn't exist as a value under the key, right-click the key and choose New > DWORD (32-bit) Value and name the value Enabled

9. Double-click the Enabled value and set the Value data field to 0

When you are done, both Server and Client keys should look like this:


User-added image
 

Method 3 (MOVEit DMZ 8.0 and above only):

You can use the DMZ Config utility's SSL tab to easily disable SSL 3.0 for incoming connections. This tool interfaces with the registry to set these options system-wide. Please note that this currently only disables SSL 3.0 for connections where this server is acting as a server (incoming connections only). Normally, this is sufficient, as most DMZ servers will not even allow outgoing connections. If for some reason your server needs to make outgoing SSL connections, and/or your server is capable of making active mode FTPS connections, it is recommended that you use one of the other methods above instead of using the DMZ Config utility.

Please note that while this configuration is replicated to other nodes in a Webfarm, each node must be rebooted individually in order for it to take effect. It's recommended that you confirm the change has been replicated to the other nodes prior to the reboot.

User-added image
Uncheck SSL 3.0 and click Apply.

MOVEit Mobile

The MOVEit Mobile service runs in Tomcat, which uses OpenSSL to provide secure connections, so if you have this service installed alongside MOVEit DMZ, then you will need to separately disable SSL 3.0.

1. Under the MOVEit Mobile install directory (by default, X:\Program Files (x86)\Ipswitch\MOVEit Mobile), find the Tomcat\conf\server.xml file and open it in Notepad.

2. Find the SSLProtocol line in the config, and ensure that it matches the following:
 
SSLProtocol="TLSv1"
Note that it is not currently possible to disable SSLv3 while enabling all TLS versions--only TLS 1.0 can remain enabled with this option.

3. File > Save and restart the Mobile service (Stop/Start in the Status tab of DMZ Config).

WS_FTP Server

WS_FTP Server uses OpenSSL to provide secure connections. The configuration to disable SSL 3.0 is therefore inside the WS_FTP Server application and applies only to the WS_FTP Server application. In actuality, the setting is to enable only TLS, but the effect is the same: SSL 3.0 will be disabled.

Please note that this setting change is available only for version 7.6.3 and later. Please upgrade if you are running an earlier version.

1. Log on to the WS_FTP Server administrative web interface (e.g. http://localhost/WSFTPSVR/login.asp) as a system administrator user.

2. Click on Listeners on the landing page or go to Server > Listeners at the top.

User-added image
3. For each of the FTP listeners, click on the IP address that they're listening on and perform the remaining steps.

User-added image
4. Click the Edit SSL Settings button at the bottom.

User-added image
5. Choose Enable TLS only (more secure) and click Save.

User-added image
NOTE: In WS_FTP Server 8.0 and higher, these options are now checkboxes and let you specifically select versions of SSL and TLS. 

6. When all listeners are saved with the setting change, go to Server > Services at the top, check the Ipswitch WS_FTP Server service, and click Restart

User-added image

WS_FTP Professional

WS_FTP Pro uses OpenSSL to provide secure connections. The configuration to disable SSL 3.0 is therefore inside the WS_FTP Pro application and applies only to the WS_FTP Pro application. In actuality, the setting is to enable only TLSv1, but the effect is the same: SSL 3.0 will be disabled.

This setting change must be made on a per-site basis

1.Go to Connections > Site Manager on the top-left. 

For each site using FTPS or HTTPS:

2. Double-click on the site or click the Edit button with the site highlighted/selected.

3. On the left, under Advanced, click SSL and check the Use TLSv1 only option, then click OK.

User-added image
NOTE: In versions 12.5.1 and higher, this option is now "Use TLS only."

4. Reconnect to the site to ensure that the connection still works. Contact the server operator if it does not: they may need to upgrade their server software to maintain compatibility with this option.


 
 
Workaround
Notes
Last Modified Date5/12/2021 9:32 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.