POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. It’s not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.

To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you—for example, on the same Starbucks Wi-Fi network  you’re using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet.

The attack works only on traffic sessions using SSLv3. Heartbleed and Shellshock were vulnerabilities that allowed an attacker to hack a server. POODLE instead targets the clients. Google’s security team has recommended that systems administrators simply turn off support for SSLv3 to avoid the problem.

ssl_poodle_vul

 

Which systems could be affected?

Basically any client and server supporting SSL v3.

How to fix POODLE SSLv3 Vulnerability in cPanel ?

 

HTTP – Apache

To fix POODLE SSLv3 Vulnerability.

WHM >> Service Configuration >> Apache Configuration >> Include Editor, and include the following in Pre Main Include

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
Press the Update button and rebuild your Apache configuration.

Restart Apache.

/etc/init.d/httpd restart

or

To disable SSLv3 on the Apache web server, you will have to adjust the SSLProtocol directive provided by the mod_ssl module. Root users can edit your Apache configuration file /etc/httpd/conf.d/ssl.conf and update following values like below after making changes restart Apache service.

SSLProtocol all -SSLv3 -SSLv2

 

Nginx Webserver

Go to Nginx configuration, and change the line

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

to

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart Nginx.

/etc/init.d/nginx restart

 

LiteSpeed Webserver

LiteSpeed has released an update to version 4.2.17. You can force a reinstall by running this command:

# /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.17
WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.

#Select a version or All Versions.

#Add the following in the text box that appears:

SSLHonorCipherOrder On

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

#Press the Update button and rebuild your Apache configuration.
This will disable SSLv3.0 on your server running LiteSpeed.

 

How to verify SSL websites

To verify you’re covered, run the following command in a terminal as root:

openssl s_client -connect www.yourssldomain.com:443 -ssl3

 

SMTP – Exim

WHM >> Service Configuration >> Exim Configuration Manager >> Advanced Editor, and change tls_require_ciphers to

ALL:-SSLv3:RC4:-SSLv2:!ADH:+HIGH:+MEDIUM:-LOW:-EXP

Restart Exim.

 

POP/IMAP – Courier-IMAP / Dovecot

WHM >> Service Configuration >> Mailserver Configuration, and change SSL Cipher List to

ALL:-SSLv3:RC4:-SSLv2:!ADH:+HIGH:+MEDIUM:-LOW:-EXP

 

FTP – Pure-FTP / Pro-FTP

WHM >> Service Configuration >> FTP Server Configuration, and change the TLS Cipher Suite to

ALL:-SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA

 

cPanel Web Services

WHM >> Service Configuration >> cPanel Web Services Configuration, and change TLS/SSL Cipher List to

ALL:-SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA

 

cPanel Web Disk

WHM >> Service Configuration >> cPanel Web Disk Configuration, and change TLS/SSL Cipher List to

ALL:-SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA

 

 

5.00 avg. rating (92% score) - 3 votes
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive