Guard against GoldenDoodle

Zyxel_Forum_Admin
Zyxel_Forum_Admin Posts: 125  Admin
First Anniversary 10 Comments Friend Collector
edited September 2021 in Security Highlight

Vulnerable TLS1.2 with CBC cipher suite

Zombie POODLE and GOLDENDOODLE are similar to ROBOT, DROWN and many other vulnerabilities affecting HTTPS, these issues stem from continued use of cryptographic modes which should have been long ago deprecated and yet are inexplicably still supported in TLSv1.2. In this case, the troublesome feature is that TLSv1.2 supports CBC mode ciphersuites.


Impact:

The attack requires a man-in-the-middle (MITM) position to employ the attack. It takes valid records and alters either MAC or Padding or cause TLS errors. If the TLS server responds differently to each of these errors then it can leak information about the plain text message.


Mitigation (On Host Device):

Disable all support for CBC cipher suites on the web server, such as Apache.


Mitigation (On Network):

Update to the latest version of IDP signature and then enable the IDP function to protect your host.


Revision history

2018-08-21: Initial release