This post is one in a series of posts describing TLS CBC padding oracles I have identified on popular web sites. The other posts in this series include an overview of CBC padding oracles, a walkthrough of how I came to develop a new CBC padding oracle scanner, and a write-up on the GOLDENDOODLE attack.

Although not POODLE per se, Zombie POODLE is in many ways a resurrection of the well-known POODLE TLS (aka POODLE BITES or POODLE 2.0) attack. POODLE TLS and Zombie POODLE both exploit server stacks which behave differently when receiving TLS records with valid MAC and invalid (non-deterministic) padding. This is known as a ‘padding oracle’.

The difference is that Zombie POODLE generically refers to the exploitation of a wide-range of implementation errors which create this valid MAC/invalid pad oracle. While POODLE TLS specifically implies that the stack does not validate padding bytes, Zombie POODLE typically implies that the implementation did validate padding bytes but inadvertently leaked the result.

For more details on how I came to identify this behavior, please check out this background post and also this one which details GOLDENDOODLE. As discussed in my other posts, I developed a new TLS CBC padding oracle scanner and used it scan the top 1 million web site domains as ranked by Alexa.

Scan data from before Citrix and F5 released advisories revealed 68 different behavior profiles across roughly 3,800 domains flagged with Zombie POODLE. (Many hosts technically have Zombie POODLE and GOLDENDOODLE, but to avoid double-counting, these hosts are not considered in this count).

The most common Zombie POODLE behavior was associated primarily with Citrix NetScaler making use of SSL hardware acceleration but also may be found on some configurations of other TLS stacks. These systems respond to all MAC or (Read more...)