Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Bit9 + Carbon Black Poodle (SSLv3 Vulnerability) Status

scary poodle showing teeth
Joe_170915
October 15, 2014 / Joe Toomey

POODLE is an attack on the SSL v3.0 protocol that was disclosed by a group of security researchers at Google yesterday.

Does POODLE affect public-facing Bit9 + Carbon Black servers?

No. All public-facing Bit9 + Carbon Black servers, including bit9.com, blog.bit9.com, the Bit9 + Carbon Black Threat Intelligence Cloud and the Bit9 Software Reputation Service, have had their configurations remediated and are not vulnerable to this attack.

Can POODLE affect the Bit9 Platform and/or Carbon Black in their default configurations?

Yes. POODLE can affect any Web-based software in which the client and server could agree to negotiate down to the SSL v3.0 protocol. This includes software running on Microsoft Internet Information Services (including the Bit9 Platform server), software running on nginx (including the CarbonBlack server) and all other Web server configurations that support SSL v3.0.

How can I immediately work around this vulnerability for my Bit9 Platform server?

POODLE can be completely addressed by ensuring that the Bit9 Platform server configuration does not allow the use of the SSL v3 protocol. You can disable SSLv3 on your Bit9 Platform server by executing the following disablesslv3.reg file [sha256: 798497f49fbc677f5c3563f11cac0997b3bdabd2bf35ca80e5f63abc19865e44] and then rebooting the server. The reboot is required.

(Click here to view how to make these edits manually in regedit.exe)

How can I immediately work around this vulnerability for my Carbon Black server?

POODLE can be completely addressed by ensuring that the Carbon Black server configuration does not allow the use of the SSL v3 protocol. This step will be required on each Carbon Black server in a Carbon Black deployment, including both master and minion nodes in a clustered deployment.

Carbon Black uses nginx as its SSL termination proxy. Therefore, addressing the POODLE vulnerability can be accomplished by updating nginx configuration to avoid use of the vulnerable SSLv3 protocol.

  1. Edit the nginx configuration file: vim /etc/cb/nginx/conf.d/cb.conf
    Note: If using a cb-multihome.conf file instead of cb.conf that segments the Web UI and Sensor ports, update the cb-multhome.conf file and make the below change to the server { } directive for the Web UI.
  2. Add the following line to the server directive: "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;"
  3. Restart cb-enterprise

An example of an updated cb.conf file is below. The added directive is highlighted in bold.

server
{
# IMPORTANT: If listener configuration is updated here, make sure to
# also upate corresponding Nginx#### parameters in /etc/cb/cb.conf file
listen [::]:80 ipv6only=off;
listen [::]:443 ssl ipv6only=off;

include /var/run/cb/nginx.runtime.ssl_certificate.prop;
include /var/run/cb/nginx.runtime.ssl_certificate_key.prop;

ssl_client_certificate /etc/cb/certs/cb-client-ca.crt;
ssl_verify_client optional;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# By default, serve HTML + CSS for the UI
root /var/www/cb/;

How can I confirm that my server has been updated correctly?

If your server is accessible from the internet, you can use Qualys SSL Lab’s excellent SSL test tool. In the Configuration / Protocols section, you should see SSL 3 listed as “No” (and SSL 2 should also be a “No” or you are vulnerable to other more severe vulnerabilities).

If your server is not externally accessible, you can still test it easily using openssl:

openssl s_client -connect [YourServer]:443 -ssl3

If you successfully connect, then your server is still vulnerable. If you get a handshake failure or the connection aborts (returning you to your command shell/console/terminal), then you are not vulnerable.

What if I have more questions?

As always, Bit9 + Carbon Black support is here to help. Give us a call.

TAGS: bit9 / Carbon Black / google / POODLE / ssl / Vulnerability

Related Posts