Paessler Blog - All about IT, Monitoring, and PRTG

SSL 3.0 POODLE Vulnerability

Written by Florian Staffort | Oct 21, 2014

After Heartbleed and Shellshock the next security vulnerability is eager to make 2014 one of the years for admins to remember. This one is called POODLE (Padding Oracle on Downloaded Legacy Encryption) and was found in SSL 3.0, an almost 18-year-old encryption technology that is only used in less than 1% of worldwide SSL traffic—but it's nonetheless still used on the server side to support old browsers like, for example, Internet Explorer 6.

Hackers can exploit POODLE to eavesdrop on their victims' web browsing or even hijack their session. To pull this off, the attacker would have to be physically close to its target, for example, in the same WLAN. As a direct result of POODLE, Microsoft released a security advisory urging users to disable SSL 3.0 for Windows systems. The vulnerability with the harmless name was also covered in mainstream media like TIME magazine or the New York Times blog—so it should only be a matter of time until most websites have disabled this protocol and ancient browsers like IE6 are finally retired.

Update PRTG Now to Disable SSL 3.0

PRTG Network Monitor uses SSL for various connections. We have implemented the latest version, the SSL successor TLS 1.2, and created the most secure PRTG ever. In light of the recent POODLE bug we have also decided to disable the outdated SSL 3.0 encryption, so please update to the newest PRTG stable release:

  • Freeware/Trial-Users: Please go to Setup | Auto Update in the main menu and update your installation (free update);
  • Commercial Licenses: This update requires an active maintenance contract. Please go to Setup | Auto Update in the main menu or log in on our customer service portal to check if you still have active maintenance or if you need to renew your maintenance. When in doubt please contact sales@paessler.com for assistance.

Please note that the necessary deactivation of SSL 3.0 might also affect the way you use PRTG:

  • Remote Probes: After PRTG has been updated all Remote Probes from all previous versions will be able to connect to the new server and download the update automatically.
  • Enterprise Console: After PRTG has been updated no Enterprise Console client will be able to connect and/or download the update automatically. Please update your Enterprise Console manually!
  • Old browsers: After the update older browsers, for example, IE6 will not be able to access the web interface anymore (except when you set the web server to port 80 without SSL).
  • No downgrade: Because this update contains a tree version update it is not possible to downgrade to an earlier version of PRTG.

"Weak security" workaround: If the above mentioned approach is not feasible for your setup, we provide a switch in the webserver settings, which can be used to set the PRTG webserver to "weak security"—this will still allow SSL 3.0 with secure ciphers. Your Enterprise Consoles will then be able to connect to the new server and download the update automatically. Please use this switch only as a temporary method until you have updated your older Enterprise Consoles, and all your browsers!

For further information on the SSL changes in PRTG 14.4.12 and how they affect your work with PRTG, please have a look at this Knowledge Base article.
View full post