Is Poodle's bark worse than its bite? Only time will tell if attackers will wreak havoc by exploiting the flaw in the widely supported SSL v3.0 cryptography protocol. But it looks like they will have plenty of opportunity to do their dirty work until users and operators turn off support for the protocol—as evidenced by findings released by Netskope Thursday, that 3,562 apps are vulnerable to Poodle.
“Netskope continuously monitors thousands of SaaS apps and our preliminary analysis has shown that more than 3,562 of them are still vulnerable due to their current support SSL V 3.0,” Ravi Balupari, director of engineering and cloud security research at the company, wrote in a blog post, though a recent update on the company's website showed that by press time the number had dropped to 3,329 cloud apps.
Karl Sigler, director, SpiderLabs Threat Intelligence, at Trustwave, told SCMagazine.com in email correspondence that “while potentially severe if a successful attack occurs” the threat is minimized, in part, because currently “there are no existing Proof of Concept or tools that exist to exploit POODLE.”
But Sigler warned, “This is bound to change in the days to come.”
And that makes it all the more important for operators and users to move quickly to blunt the impact of Poodle by nixing support for SSL v3.0.
In email correspondence with SCMagazine.com, Tod Beardsley, TK at Rapid7, expressed surprise at “how many decision makers of large, popular websites still are insisting on support for SSLv3.”
Added Sigler, “POODLE is sort of a sequel to the BEAST and CRIME attacks before it. What it really reminds us is that SSLv3 is antiquated.”
The Poodle threat may finally sound the death knell on SSLv3.0, experts said.
“Hopefully POODLE is the final nail in SSLv3's coffin so businesses can move on to TLS protocols,” said Sigler.