WWW.ABSTRACT.DISLIB.INFO
FREE ELECTRONIC LIBRARY - Abstracts, online materials
 
<< HOME
CONTACTS



«Protecting Against POODLE Attacks Topics Overview What Products are Affected? Steps to Protect Against POODLE Attacks Applying the EQEnableSSL Hotfix ...»

Protecting Against POODLE Attacks

Topics

Overview

What Products are Affected?

Steps to Protect Against POODLE Attacks

Applying the EQEnableSSL Hotfix

Disabling SSL 3.0 in Windows Registry

Disabling SSL 3.0 in LDAP Servers

Disabling SSL 3.0 with DWS Hotfix

Enabling HTTPS for Web Client Servers

Overview

POODLE (Padding Oracle On Downgraded Legacy Encryption) is an attack against a design flaw in the SSL 3.0

protocol which allows attackers to decode the encrypted data of a secure SSL 3.0 connection. Refer to http:// googleonlinesecurity.blogspot.ca/2014/10/this-poodle-bites-exploiting-ssl-30.html and https://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2014-3566 for detailed descriptions.

The POODLE attack allows for a man-in-the-middle to intercept a communication between two systems using SSL 3.0 (e.g. client and server). The man-in-the-middle attack involves Javascript from the attacker running in the user’s browser. The Javascript is used to submit the specially formatted requests to the server, reconnecting as needed. The man-in-the-middle causes connection errors forcing a protocol downgrade to SSL 3.0. The man-in-the-middle also is used to manipulate the part of the encrypted data that the attack is trying to decode.

The attack does not allow the attackers to decode entire conversations with a single connection; it takes 256 SSL 3.0 requests to reveal one byte of encrypted information.

Any systems and applications utilizing SSL 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable to the POODLE attack.

The best way to protect against the POODLE attack is to disable SSL 3.0 support completely. If the SSL 3.0 communication link is broken, then the POODLE attack cannot happen. However, Disabling SSL 3.0 may impact connectivity or interoperability between clients and servers.

Protecting Against POODLE Attacks 1 What Products are Affected?

Customers that have previously enabled SSL communication features (see “Enabling SSL Communication” in the associated Administration Guide) and are using one of the listed products below are affected.

• Equitrac Office 5.0, 5.1, 5.2, 5.3 and 5.4

• Equitrac Office 4.2.6 and earlier

• Equitrac Express 5.0, 5.1, 5.2, 5.3 and 5.4

• Equitrac Express 4.2.6 and earlier

• Equitrac Professional 5.0 through 5.6

• Xerox Secure Print Management Suite (XSPMS) 5.3 and 5.4

• Xerox Secure Access (XSA) 5.3

• Xerox Secure Access (XSA) 4.1.1 For customers that have not enabled SSL communications and wish to do so, follow the steps in this guide to disable SSL 3.0 and apply the necessary patches to enable SSL support.

For Equitrac Express, Equitrac Office, XSPMS and XSA, disable SSL 3.0 in the following areas:

• Apply a hotfix to correct an issue with the EQEnableSSL tool on 64-bit systems. (see Applying the EQEnableSSL Hotfix on page 3)

• In the Windows registry for the following: (see Disabling SSL 3.0 in Windows Registry on page 3)

• Servers running CAS (Scheduler), DRE, DCE (DWS), DME, SPE

• Workstations running DRC (optional but recommended)

• Workstations running System Manager (optional but recommended). Important for User Tools and EQCmd

• Web Client servers

• Active Directory server

• LDAP servers (see Disabling SSL 3.0 in LDAP Servers on page 6)

• DWS (see Disabling SSL 3.0 with DWS Hotfix on page 6)

• Force HTTPS protocol in IIS for Web Client (see Enabling HTTPS for Web Client Servers on page 7)

For Equitrac Professional, disable SSL 3.0 in the following areas:

• In the Windows registry for the following: (see Disabling SSL 3.0 in Windows Registry on page 3)

• Servers running CAS (Scheduler), CPS, DRE,DCE, DME or SPE

• Web Client servers

• Active Directory servers

• LDAP servers (see Disabling SSL 3.0 in LDAP Servers on page 6)

• Force HTTPS protocol in IIS for Web Client (see Enabling HTTPS for Web Client Servers on page 7)

2 Protecting Against POODLE AttacksSteps to Protect Against POODLE Attacks

Applying the EQEnableSSL Hotfix In order to correct an issue with servers running on 64-bit architectures, apply the following hotfixes. The hotfix does not apply to Equitrac services running on 32-bit architectures.

• Equitrac Office/Express/XSA/XSPMS 5.4 – EQ54-HF-238665-Tools.msp

• Equitrac Office/Express/XSA/XSPMS 5.3 – EQ53-HF-238600-Tools.msp

• Equitrac Office/Express 4.2.6 – EO-EE426-HF-238526-Tools.exe Customers running Equitrac Office/Express versions 4.x (prior to 4.2.6), must upgrade to 4.2.6 and then apply the patch.

Customers running Equitrac Office/Express/XSA/XSPMS versions 5.0, 5.1, 5.2 must upgrade to 5.3 or 5.4, and then apply the patch.

Customers running Xerox Secure Access 4.1.1 must upgrade to Xerox Secure Access 5.3 and then apply the patch.

The patch must be installed on all Equitrac servers in an installation. Once the patch has been applied, re-run the EQEnableSSL.exe –e command (as Administrator) to re-enable SSL support in the product. Refer to “Enabling SSL Communication” in the associated Administration Guide for further details.





The EQEnableSSL.exe tool is located in the following product folders:

• Program Files\Equitrac\Office\Tools

• Program Files\Equitrac\Express\Tools

• Program Files\Xerox\Xerox Secure Print Manager Suite\Tools

• Program Files\Xerox\Xerox Secure Access\Tools Disabling SSL 3.0 in Windows Registry In order to disable SSL 3.0 support for servers and clients, the Windows registry must be edited. Windows Server 2008 supports SSL 2.0, SSL 3.0 and TLS 1.0 protocols, and Windows Server 2008 R2 and Windows 7 support SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. Although SSL 2.0 is the only security protocol displayed by default in the registry, SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2 are all enabled by default even though the entries are not present in the registry. Refer to the following Microsoft Knowledge Base article for more details (http://support2.microsoft.com/ default.aspx?scid=kb;EN-US;245030#top).

To manually edit the Windows registry to disable SSL 3.0, do the following:

Select Start Run.

Type regedit and click OK to open the Registry Editor.

In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocol Under Protocols, add the SSL 3.0 key.

Within the SSL 3.0 key, add Client and Server keys.

–  –  –

Open the SSL 2.0 key, and set the Enabled value to 0 in both the Client and Server keys.

Reboot the server.

After reboot, test all applications on the Client and Server for compatibility before rolling out the change.

Although the TLS protocols are enabled by default, they do not appear in the registry. After disabling SSL 2.0 and SSL 3.0, it is a good idea to ensure that at least one of the TLS protocols are enabled.

To verify that the TLS protocol is enabled, do the following:

Create keys for one or all of the TLS 1.0, TLS 1.1 and TLS 1.2 protocols.

Within each of the protocol keys, add Client and Server keys.

Within each of the Client and Server keys, create the following DWORD values:

• DisabledByDefault with a value of 0.

• Enabled with a value of 1.

Reboot the server if required.

4 Protecting Against POODLE Attacks Alternatively, the registry can be modified using a software tool such as IIS Crypto to quickly make changes without manually editing the registry itself.

To use IISCrypto to edit the Windows registry, do the following:

Go to https://www.nartac.com/Products/IISCrypto/ and download the appropriate GUI or command line tool.

Run the tool to open the UI.

Select the desired Protocols to enable on the client and server, and deselect the protocols you want to disable.

—Or— Click Best Practices to allow the program to select the most appropriate protocols and ciphers for your system.

Click Apply.

Reboot your computer for the changes to take effect. IIS Crypto does not reboot your computer.

After reboot, ensure that SSL 3.0 is disabled in the registry.

Protecting Against POODLE Attacks 5 Disabling SSL 3.0 in LDAP Servers Some components do not provide configuration parameters to disable SSL 3.0. Currently, the following components

fall into this category:

• OpenLDAP

• CUPS It is possible to disable SSL 3.0 for these components by using stunnel. Stunnel provides an encryption wrapper between a remote client and a local (inetd-startable) or remote server, using the OpenSSL library for cryptography.

To disable SSLv3 on stunnel, use the following configuration parameters in the stunnel.conf file:

options = NO_SSLv2 options = NO_SSLv3 Installation and configuration of stunnel is outside the scope of this solution. Please consult the man pages and system documentation for more details.

NOTE: Newer openldap-servers have a TLSProtocolMin option. If openldap-servers is openldap-servers-2.4.39el6(for RHEL6), openldap-servers-2.4.39-3.el7(for RHEL7) or later, add "TLSProtocolMin 3.1" in slapd.conf to disable SSL 3.0. You can refer to man slapd.conf.

See https://access.redhat.com/solutions/1234843 for details.

Disabling SSL 3.0 with DWS Hotfix In order to disable SSL 3.0 for DWS components, apply the following hotfixes (EQ54-HF-237763-DWS and EQ53HF- 237764-DWS). The DWS hotfixes support Equitrac Office and Express versions 5.3 and 5.4.

It is sufficient to patch only the client or the server with the DWS hotfix in order to prevent POODLE attacks. As long as either the client or the server does not support SSL 3.0, the attack cannot happen. By applying DWS hotfixes, MFPs that are configured for HTTPS communications are protected from POODLE attacks when interacting with Equitrac server products.

When disabling SSL 3.0 from servers hosting MFP web configuration pages, the managed devices must support TLS

1.x in order for the Administrator to manage/update the device, and to maintain secure communication between server and the networked device.

Customers should contact their MFP manufacture/representative to determine if new firmware is available to disable SSL 3.0 from the networked devices, and to determine if any devices within their environment do not support TLS 1.x.

Additionally, the MFP representative should provide a list of devices that are vulnerable to the POODLE attack, and provide any available patches.

6 Protecting Against POODLE Attacks Additional Security Considerations Enabling HTTPS for Web Client Servers In addition to disabling SSL 3.0 on all servers, we recommend that Web Client servers use HTTPS communication for further security. Before enabling HTTPS communication on the Web Client, ensure that Web Client works using standard HTTP communication. For example, it can be accessed through "https://servername/WebClient". By default, the Web Client is configured to use port 80 and HTTP binding. For HTTPS communication, the HTTPS binding has to be added to your web site. HTTPS communication requires a certificate.

In order to enable HTTPS communication for Web Client servers, do the following:

• Obtain a Trusted certificate

• Add HTTPS binding

• Force HTTPS protocol Obtain a Trusted Certificate For Web Client servers, creating a Domain Certificate through an Enterprise CA is the preferred method. A domain certificate is an internal certificate that does not have to be issued by an external certification authority (CA). If your domain has a server that acts as a CA, you can create a domain certificate and trust that server, and in turn, that trust is passed to all certificates that are signed by that server.

The next best option it to generate a certificate request using the Certificate Wizard, and send the request to a trusted external CA to obtain and import a trusted certificate.

Additionally, you can generate a self-signed certificate in IIS. The disadvantage of a self-signed certificate is that endusers are prompted to accept the certificate the first time they access a Web Client server. There is no such prompt for a trusted certificate.

Add HTTPS Binding

To add HTTPS bindings in IIS, do the following:

Open the Internet Information Services (IIS) Manager.

In the Connections navigation pane, select the web site that contains the WebClient web application. In the case of a default installation, this site is the Default Web Site.

In the right Actions pane, select Bindings in the Edit site section.

In the Site Bindings dialog, click the Add button.

–  –  –

The Web Client is now available through HTTPS communication. For example, it can now be accessed through "https://servername/WebClient".

NOTE: When a self-signed certificate is used, a certificate error may be displayed in the browser. Accept the certificate exception to continue.

Force HTTPS Protocol To make the configuration more secure, you can disable the HTTP communication method, so users are forced to use the secure HTTPS protocol.

To force HTTPS protocol and disable HTTP in IIS, do the following:

In the Connections navigation pane, select the WebClient web application.

Double-click the SSL Settings icon.

Select the Require SSL checkbox. This option makes IIS reject requests on HTTP.

Close IIS Manager.



Similar works:

«CITY OF SAN GABRIEL ALL-NIGHT PARKING APPLICATION PERMITS COVER PARKING BETWEEN 2:00 A.M. AND 6:00 A.M. AT THE PERMITTED ADDRESS ONLY OTHER PARKING RESTRICTIONS ARE NOT COVERED BY THIS PERMIT ***************************** FEE: Parking permits are available for one year for $120.00 or six months for $100.00. The Permit is not transferable to another person. The Permit is valid ONLY for the vehicle it was purchased for. However, if a new vehicle is purchased, the cost to transfer the permit to...»

«Fryé Palladium Casting: An Overview of Essential Considerations Teresa Fryé President TechForm Advanced Casting Technology, LLC Fryé Portland, OR, USA Introduction Palladium, one of the rare and coveted platinum group metals, has all the indications of becoming the latest metal trend in fine jewelry. Starting with China in 2003, Fryé and later emerging in North America in 2005, the global demand for palladium jewelry has risen exponentially. In 2005, purchases of palladium for jewelry...»

«IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA JEFFREY STUMP, : CIVIL ACTION KIMBERLY STUMP, : : 02-326 Plaintiffs, : :v. : : WMC MORTGAGE CORP., JAVELIN, INC. : d/b/a COMMERCE FINANCIAL, : FAIRBANKS CAPITAL CORP., and : BANK SUISSE FIRST BOSTON, : : Defendants. : MEMORANDUM AND ORDER JOYNER, J. March 16, 2005 Presently before the Court are the Motions for Summary Judgment of Defendants WMC Mortgage Corporation, Credit Suisse First Boston, and Fairbanks Capital...»

«Public Disclosure Authorized Document of The World Bank FOR OFFICIAL USE ONLY Report No: PAD1666 INTERNATIONAL DEVELOPMENT ASSOCIATION Public Disclosure Authorized PROJECT APPRAISAL DOCUMENT ON A PROPOSED CREDIT IN THE AMOUNT OF SDR72.40 MILLION (US$100 MILLION EQUIVALENT) AND Public Disclosure Authorized A PROPOSED GRANT FROM THE MULTI DONOR TRUST FUND FOR THE GLOBAL FINANCING FACILITY IN THE AMOUNT OF US$27 MILLION TO THE REPUBLIC OF CAMEROON FOR A HEALTH SYSTEM PERFORMANCE REINFORCEMENT...»

«Case 2:07-cv-02171-LS Document 43 Filed 01/14/2008 Page 1 of 39 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF PENNSYLVANIA IN RE: STERLING FINANCIAL MDL DOCKET NO. 1879 CORPORATION SECURITIES CLASS ACTION CIVIL ACTION NO. 07-2171 This filing relates to: KENNETH G. STOUDT, : CIVIL ACTION NO. 07-2914 Plaintiff, V. STERLING FINANCIAL CORPORATION, JURY TRIAL DEMANDED a Pennsylvania Corporation; EQUIPMENT FINANCE, LLC, a Pennsylvania Limited Liability Company; J. ROGER MOYER, JR.; THOMAS...»

«JANUARY 7, 2014 Trail Life Troop 7777 Bylaws, Policies & Procedures GRACE COVENANT CHURCH CORNELIUS, NC www.TrailLife7777.com Table of contents Page # Introduction and Mission Statement 2 1. Eligibility for Membership 2 2. Participation & Conduct Expectations 3 3. Troop Structure 4 4. Troop Committee & Support Roles 4 5. Troop Program Leadership 4 6. Youth Leadership 5 7. Troop Calendar, Communications & Internet Policy 5 8. Troop Meetings, Campouts, Activities & Events 6 9. Troop & Personal...»

«Format-Style Guide for Preparing Research Reports 8th Edition Fall 2016 Prepared by: Water Research Foundation Communications & Marketing Staff Prepared for: Water Research Foundation 6666 West Quincy Avenue, Denver, CO 80235-3098 Published by: CONTENTS CHAPTER 1: INTRODUCTION Purpose Organization of Guide Water Research Foundation Name Change CHAPTER 2: FORMAT Cover and Title of Report Acceptable Software Page Dimensions Typeface Headings Pagination Sections of Report Front Matter Half Title...»

«INTERCAPITAL INVEST SSIF Intercapital Invest SA Annual Report Annual Report 2010 / INTERCAPITAL INVEST INTERCAPITAL INVEST IN 2010 Launch of iFond Financial Romania and iFond Gold IPOs, the only  initial public offerings successfully completed in Romania last year. Both funds are managed by Intercapital Invest’s management division, Intercapital Investment Management. Both iFond Financial and iFond Gold were listed on the BSE and closed 2010 at prices higher to those in their respective...»

«NEWTON POLYHEDRA (ALGEBRA AND GEOMETRY) A.G. Khovanskii Amer. Math. Soc. Transl. (2) Vol. 153, 1992 Newton polyhedra establish a relationship between algebraic geometry and the geometry of polyhedra. In this paper we discuss this relationship and its applications in algebra and geometry. §1. Computation of discrete invariants in terms of Newton polyhedra In this section we discuss the computation of discrete algebraic invariants in geometric terms and, in particular, the computation of the...»

«A Randomized Algorithm for Pairwise Clustering Yoram Gdalyahu, Daphna Weinshall, Michael Werman Institute of Computer Science, The Hebrew University, 91904 Jerusalem, Israel {yoram,daphna,werman}@cs.huji.ac.il Abstract We present a stochastic clustering algorithm based on pairwise similarity of datapoints. Our method extends existing deterministic methods, including agglomerative algorithms, min-cut graph algorithms, and connected components. Thus it provides a common framework for all these...»

«Annual Report 2008–09 Office of the Director of Public Prosecutions Office of the Director of Public Prosecutions Annual Report 2008-2009 1 Introduction The Director of Public Prosecutions (referred to throughout this report as ‘the Director’) is required by s 16 of the Director of Public Prosecutions Act 1984 to report each year before 31 October to the Attorney-General and Minister responsible for the operations of the Office of the Director of Public Prosecutions (referred to...»

«KNOCK GOLF CLUB AGM 2014 CAPTAIN’S REPORT Mr Vice Captain, Past Captains, Past Presidents, Gentlemen and Anne, General Manager. My first and sad duty is to remember those members who died during the past twelve months and to record and extend our sympathy to their family and friends. They are :Rowland Carson, Dorothy Gillespie, Helen Mladek and Tennent James In addition, a former member for nearly 50 Years, Mr. Jim Boyle Junior passed away last night. Would you please stand for a few moments...»





 
<<  HOME   |    CONTACTS
2017 www.abstract.dislib.info - Abstracts, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.