First there was Heartbleed, and now we have POODLEbleed.  It seems like there is a never-ending stream of bad news about security lately.  With POODLE, it has been shown that SSLv3 is insecure, and can be compromised pretty much regardless of the algorithms being used in the connection, even on connections using AES or 3DES.  Normally this would be solved simply by disabling the protocol; after all, we already have TLSv1.0, TLSv1.1, and TLS 1.2 with work already progressing on the next iteration beyond that.

While disabling SSLv3 would be painful, it would work, except that in most cases you can’t disable it because there are so many systems still relying on it.  And the problem is compounded by how the client and server choose the protocol to use.  Because of how the choice is made, it is possible to ask for TLSv1.2 and end up with SSLv3 due to problems establishing the connection between the client and server.  An attack on the connection can cause SSLv3 to be agreed to as the protocol to be used for security, exposing the connection to the POODLE attack.

POODLE is sure to force updates over the next few months (in fact, Google has already said they will disable SSLv3 in Chrome), and it is nice to look at what systems you may need to review and update based on this.  Due to the nature of the vulnerability, Green Rocket Security has reviewed the GreenRADIUS server and determined the vulnerability is low since GreenRADIUS is part of your internal infrastructure, and not usually directly accessible on the Internet.  GreenRADIUS uses a secure connection for accessing the admin console and for web connectivity to services using it for authentication, which are connected inside your internal network, not the Internet, minimizing your exposure (if you have a threat there, you have problems beyond POODLE to be worrying about).

With our next update we will configure the server to require a TLSv1+ connection to ensure the highest security for your infrastructure.