Posted in : All, Mitel | February 4, 2015

phone image

POODLE security issue in SSLv3

Get all the telephony functionalities you need for one low monthly price

Request a Quote

POODLE security issue in SSLv3
Nov 7, 2014

On October 14, 2014 a security issue was reported in version 3 of the Secure Socket Layer (SSL) protocol that is sometimes used to encrypt network traffic. Under the right conditions, this vulnerability (called POODLE, CVE-2014-3566) could be exploited to decrypt all or part of a transaction encrypted with SSL v3.

POODLE is a flaw in the SSL v3 protocol and not specific to any particular implementation of SSL. SSL has been largely superceded by the Transport Layer Security (TLS) protocol. TLS itself is not vulnerable, however, an attacker may be able to artificially trigger a protocol downgrade from TLS to SSLv3.

Mitel has assessed the threat posed by POODLE. The vulnerability is exploitable in narrow circumstances; specifically, the attacker must:
1. Intercept traffic between a client and server (man-in-the-middle),
2. Ensure SSLv3 is used to encrypt the traffic, and
3. Repeatedly compute and transmit hundreds of packets crafted in real-time for every payload byte being examined.
These conditions make successful exploitation somewhat difficult. No reports of attacks based on the POODLE vulnerability have been seen in the field. Mainstream browsers have already released updates that eliminate the ability to downgrade TLS connections to SSLv3. These actions make POODLE a less promising attack vector for malicious actors. Based on the information currently available, it appears that POODLE does not represent a significantly elevation of risk to Mitel products.

Get all the telephony functionalities you need for one low monthly price