Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in vsftpd

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 5, 6, 7

Issue

  • How do I avoid impact to vsftpd from CVE-2014-3566?

Resolution

By default, SSL/TLS is not enabled for vsftpd. You may have configured vsftpd to enable SSL/TLS by adding the following line to /etc/vsftpd/vsftpd.conf

ssl_enable=YES

If SSL/TLS is enabled, add the following lines to /etc/vsftpd/vsftpd.conf in order to only allow usage of TLSv1, not SSLv2 or SSLv3:

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Once complete, restart vsftpd:

# service vsftpd restart

Root Cause

A vulnerability was found in the SSLv3.0 protocol. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. For more information about this vulnerability, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

Diagnostic Steps

For diagnostic steps, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

Note that by default, the use of SSL v2 and v3 is disabled, and only TLS v1 is enabled. In other words, the default settings (when SSL is enabled using ssl_enable=YES) are as if the following options were set (as mentioned in the solution above):

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO