A couple of months after researchers at Google uncovered POODLE (Padding Oracle On Downgraded Legacy Encryption), a vulnerability in a specific version of the SSL protocol, security firm Qualys has announced that the issue also affects implementations of the TLS protocol.
Poodle allows attackers to compromise the secure connection between a user’s browser and a website server, allowing them to steal data or launch an attack. Initially, it was believed that the vulnerability affected only SSL v3.0, which is nearly 15 years old at this point, but it has now been discovered that the problem, which arises from an error in the handling of padding, also affects some implementations of TLS.
The Qualys report says that even though TLS is very strict about how its padding is formatted, some of its implementations do not check the padding structure after decryption, making them vulnerable to the attack.
So far, load balancers manufactured by F5 and A10 have found to be vulnerable, which means that the problem is likely to affect some of the most popular web sites in the world, including Bank of America, VMware, Accenture, and more.
According to the security firm’s most recent SSL Pulse scan, which covers 1 million of the most popular HTTPS-enabled websites, nearly 10 percent of the servers are vulnerable to a Poodle attack against TLS.
F5 has already posted patches for their products, and A10 is also expected to follow suit. Meanwhile, webmasters can check if their servers, or load balancers, are vulnerable by using the Qualys SSL Labs server test.