Dog Training for Network Admins: Managing POODLE - CVE-2014-3566

CVE-2014-3566 relates to a flaw found in handling of padded bytes in SSL 3.0 when using CBC mode for the encryption[3]. The flaw may be exploited to permit a man-in-the-middle (MITM) attack. The attacker may be able to decrypt a selected byte of a cipher text in a limited number (256) of attempts, by repeatedly requesting the victim to send the same data over multiple SSLv3 connections.

The vulnerability exists in the protocol itself and not a specific implementation of the protocol e.g., OpenSSL, GnuTLS, etc. Thus, the mitigation is to stop using SSLv3 and to have TLSv1+ as the minimum.

Both clients and servers are vulnerable to the attack. Server administrators should configure all services to disable the use of SSLv3. There are numerous sources[2] documenting the disabling of SSLv3 on browsers. Again, unfortunately Apple's Safari does not appear to be as configurable has not provided such control for Safari to disable SSLv3. In fact Apple's approach seems to have been to disable CBC mode encryption if TLS negotiation fails. However Safari Version 8.0 (10600.1.25) on Yosemite, i.e Mac OS X 10.10 still appeared to be vulnerable using the poodletest.com website[4].

In addition to disabling SSLv3 at the servers and browsers, it may also be desirable to block SSLv3 traffic at the network perimeter in case something is not patched. This would require examining the SSL handshakes for the cipher suite negotiation, and blocking SSLv3 connections. Fortunately someone has already done the hardwork[1] of finding the offsets, etc.

References

1. https://blog.g3rt.nl/take-down-sslv3-using-iptables.html
2. https://zmap.io/sslv3/browsers.html
3. http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
4. https://www.poodletest.com/

Connecting to OpenVPN from a Mac using Tunnelblink

To connect to an OpenVPN server you need an appropriate OpenVPN client installed to establish the SSL link. For Apple Mac OS X systems, TunnelBlick (http://code.google.com/p/tunnelblick/) is a good graphical user interface. At the time of this blog the current latest stable version of TunnelBlick available was 3.2.7. These instructions were executed on an Apple iMac running Mac OS X 10.7.4. As with all other posts on this blog, the purpose of this post is not to provide a tutorial, but instead to documents the steps taken, for my own benefit.

Download and install Tunnelblink

1. Download the latest stable version of TunnelBlick (3.2.7).
2. Click on the downloaded dmg package file to mount it.
3. Once the Tunnelblink window is open double-click the Tunnelblink.app icon
4. A warning may be displayed to indicate that the package may be unsafe as it was downloaded, continue by clicking the "Open" button
5. Enter the system administrator credentials to start the install
6. Once installation is completed, the installation succeeded window will be displayed, click the "Quit" button
7. Close the Tunnelblink window, and eject the dmg package
8. Start the Tunnelblink GUI by going to Applications and clicking Tunnelblink.app
9. You should see a Tunnelblink icon up the top

The first time you start the Tunnelblink application

1. A warning may be displayed to indicate that the package may be unsafe as it was downloaded, continue by clicking "Open" button
2. When prompted, click on the "I have configuration files" button

Setting up the OpenVPN connection

1. Then click on "OpenVPN Configuration(s)" button
2. Select the "Create Tunnelblick VPN Configuration" button to generate a configuration based on your OpenVPN configuration files
3. Take a note of the instructions in the dialog box and Click the "Done" button
4. You may be prompted for automatic updates
1. To prevent your system details (although it is anonymous) from being transmitted, uncheck the "Include anonymous system profile" 
2. Then click on "Check Automatically" button to enable automatic checking of updates
5. You should have a directory called "Empty Tunnelblick VPN Configuration" on your desktop
6. Get the CA certificate (ca.crt), your private key (I used MACHINE.key as an example) and certificate (e.g. MACHINE.crt) and your client configuration file (this may be something like client.ovpn or client.conf). These should be provided by your network administrator.
1. ca.crt
2. MACHINE.crt
3. MACHINE.key
4. client-config.ovpn
7. Copy or move the files above into the directory on your desktop
8. Rename the directory into something meaningful with a .tblk extension, e.g. Office-VPN.tblk
9. When prompted to add the .tblk extension click on the "Add" button, you should see the directory icon change to a Tunnelblink icon
10. Double-click the renamed directory to install the configuration
11. When prompted to continue the installation click the "Only Me" button
12. Enter the system administrator credentials to complete the install
13. Once installed, click the "OK button"

Changing DNS settings

1. Right click on the Tunnelblink icon up the top
2. Select VPN Details, then select the VPN connection you wish to edit, e.g. "Office-VPN"
3. Select the "Settings" option on the middle of the window
4. Change the "Set DNS/WINS" option to suit, e.g. You may want to disable DNS changes to be pushed through from the VPN tunnel, thus to use your existing nameserver configuration select "Do not set nameserver"

Connecting to the VPN

1. Once Tunnelblink has been installed and the configuration completed
2. Right click the Tunnelblink icon up the top
3. You should see the VPN connection, e.g. "Connect Office-VPN", select it to connect

Disconnecting from the VPN

1. Once the VPN connection has been established and you wish to disconnect
2. Right click the Tunnelblink icon up the top
3. You should see the VPN connection, e.g. "Disconnect Office-VPN", select it to disconnect

Here is a sample client configuration file for reference, substitute the SERVER, PORT and MACHINE as appropriate

client

dev tun

proto udp

remote SERVER PORT

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert MACHINE.crt

key MACHINE.key

comp-lzo

verb 3

; the following lines are needed for Windows Vista, 7 and 8 machines, not needed for Windows XP

route-method exe

route-delay 2

References:

1. http://code.google.com/p/tunnelblick/

Change Apple Mac OS X Software Update Service (SUS) address

Apple IU Software Update service allows uses to keep their Mac OS X machines updated with the latest software updates and security patched. In some controlled environments, the update servers are specified in the user profile. Sometimes there may be delays in the server updates, or problems with the local update server and users may desire to connect to Apple's services directly. Here's are some instructions that users may find useful. Please note that to make configuration changes you will need Administrative privileges on your Mac.

Users should also note that where a URL for the update catalog is not specified, network administrators may have implemented transparent update redirection by manipulating DNS entries on a local server for URLs such as; http://swscan.apple.com, http://swquery.apple.com, http://swdownload.apple.com, http://swcdn.apple.com

Check the SUS server settings
To check you current SUS settings, issue the following command from a terminal;

1. /usr/libexec/PlistBuddy -c Print /Library/Preferences/com.apple.SoftwareUpdate.plist
2. /usr/libexec/PlistBuddy -c Print ~/Library/Preferences/com.apple.SoftwareUpdate.plist

The above commands would produce an output similar to the following;

Dict {

    LastAttemptSystemVersion = 10.7.2 (11C74)

    LastRecommendedUpdatesAvailable = 0

    RecommendedUpdates = Array {

    }

    CatalogURL = http://XXX.XXX.XXX.XX:8088/index.sucatalog

    LastResultCode = 2

    ScheduleFrequency = 1

    LastUpdatesAvailable = 0

    LastAttemptDate = Thu Jul 26 10:37:51 EST 2012

    LastSuccessfulDate = Thu Jul 26 10:37:51 EST 2012

}

Change the SUS server settings back to Apple's default
Delete the CatalogURL entry by issuing the following command to force the IU software update to connect to Apple's URL

1. defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

To change the SUS server
To change the SUS server to any other value issue the following command from a terminal;

1. defaults write com.apple.SoftwareUpdate CatalogURL 'http://SERVER:PORT/index.sucatalog'

References

1. http://support.apple.com/kb/HT3923

APAcite on Mac OS X with texlive

While compiling a LaTeX document, a blank template of my PhD thesis to be exact, when I got the following error "! LaTeX Error: File `apacite.sty' not found." Again a quick search for Mac ports indicated that the texlive-bibtex-extra package was required. It was quickly installed using;

sudo port install texlive-bibtex-extra

Subsequent compile yielded more errors, this time it was "! Undefined control sequence. \abstract". This was solved using the texlive-latex-extra package, installed using;

sudo port install texlive-latex-extra


Then adding the following to define the abstract in the book documentclass;

% Define abstract in book documentclass
\pagestyle{empty}
\newenvironment{abstract}%
{
  \onehalfspacing%
  \null
  \vfill
  \chapter*{\centering Abstract}%
  \addcontentsline{toc}{chapter}{Abstract}
}%
{\vfill\null}

% Start the actual abstract
\begin{abstract}
\end{abstract}

More errors resulted "! Use of \@year@ doesn't match its definition." I had to add "\bibliographystyle{apacite}" to the bibligraphy page, and all was well once again.

References:

1. https://trac.macports.org/wiki/TeXLivePackages
2. http://www.cs.utexas.edu/~witchel/errorclasses.html

IEEETrans on Mac OS X with texlive

While compiling a journal paper, I got the following error message "I couldn't open style file IEEEtran.bst"

The IEEETrans TeX distribution can be manullay installed by using the packages from CTAN [1] or  IEEE [2]. However since I use macports, I just had to;

1. sudo port install texlive-publishers

References:

1. http://www.ctan.org/tex-archive/macros/latex/contrib/IEEEtran/
2. http://www.ieee.org/portal/cms_docs/pubs/transactions

Runtime on notebooks

Got an Apple MacBook Pro towards the start of the year. Issue was that closing the lid only puts the machine in stand by mode which still consumes power, so I wasn't getting as long a runtime as I would on my old HP nx6120 with a travel battery.

A Google search led me to Todd Huss's[2] page below. This identified the pmset[1] command as being quite useful. I followed the instructions and now have the MacBook hibernating when I close the lid. Since then I have been asked by a number of colleagues about this, so thought I better document it here.

I rebuilt the old HP nx6120 to run Ubuntu 10.04 LTS. Again noticed that I wasn't getting reasonable runtime, instead of the usual 8-10 hrs, I only got around 3-4hrs. A discussion with a colleague led me to Linux Laptop Tools. Again some "Googling" led to the Ubuntu power management[3] which seemed to increase the runtime.

References

1. http://en.wikipedia.org/wiki/Pmset
2. http://gabrito.com/post/hibernate-with-the-macbook-pro
3. https://wiki.ubuntu.com/PowerManagement