Recently the National Cybersecurity and Communications Integration Center issues an alert concerning SSL 3.0 Protocol Vulnerability and POODLE Attack.(1) According to the alert:
- All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.
- Some Transport Layer Security (TLS) implementations are also vulnerable to the POODLE attack.
- US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.
What does this mean to medical practices? You may have systems and applications which could be using the SSL 3.0 such your patient portal. Such systems and applications are vulnerable should be addressed. According to the alert, “There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.”
What should I do? Contact your IT staff or consultant and make sure that they are aware of the problem and have appropriately disabled any SSL 3.0.