POODLE exploit leaves SSL 3.0 communication vulnerable to attack

On Tuesday October 14, the Google Online Security Blog published details of a vulnerability in the design of SSL version 3.0.  The vulnerability allows the plain text of secure connections to be captured through a man-in-the-middle attack.  The vulnerability is being referred to by the codename POODLE, which stands for for Padding Oracle On Downgraded Legacy Encryption.

SSL 3.0 is an old protocol that is still supported by all major browsers and websites.  The protocol is used by these systems when support for the newer TLS encryption is not available.  SSL 3.0 is the only protocol affected by this vulnerability.  The best way to protect against this vulnerability is to remove or disable SSL 3.0.

Barracuda solutions use TLS for encrypted communication but have SSL 3.0 available as an option for old clients.  Barracuda engineers are currently developing new firmware to eliminate SSL 3.0 support on the administration interfaces.  We will deliver the new firmware soon.  Barracuda Spam Firewall version 6.1.5.003 addresses this issue and is currently being rolled out worldwide. 

If automatic updates are not available, Barracuda customers should manually initiate the update as soon as the new firmware is available.  Customers using the Barracuda Web Application Firewall (WAF) should disable support for SSL 3.0 in the configuration of the WAF services.  Customers using the Barracuda SSL VPN should disable support for SSL 3.0 IN the configuration of resources.

Additionally, Barracuda strongly recommends customers upgrade their browsers and email clients to versions that support TLS.  TLS is a stronger form of encryption and is widely supported in all modern versions.

If you need assistance with your Barracuda products and SSL 3.0, please contact Barracuda support at support@barracuda.com