How Do I Protect my WHM Server Against POODLE?

What is POODLE?

The “POODLE” (Padding Oracle On Downgraded Legacy Encryption) is a protocol downgrade attack in design of cryptographic protocol SSL version 3.0. This bug was recently discovered by Google Security Team researcher Bodo Möller in collaboration with Thai Duong and Krzysztof Kotowicz.

What does POODLE do?

In a Poodlebleed attack, intruders can force a connection to “fallback” to SSL 3.0. In this way, the attacker can access the plain text information from communication. Due to the bug in SSL 3.0, attackers can also steal cookies (small data files that enable persistent access to an online service). These small data files can easily allow an attacker access to any kind of Web-based accounts. As a security exploit, it can affect all web browsers and servers and therefore any one of us could be vulnerable.

How do I protect Browsers against POODLE?

First check if you are POODLE vulnerable? Simply browse Qualys SSL Labs’ SSL Client Test website. If you get a message “Your user agent is vulnerable. You should disable SSL 3.”, you are supposed to do some cleaning in browsers.

The simplest thing you can do to protect browsers is disabling SSLv3 support. Therefore, even if the server does offer SSLv3 support, your browser will deny to use it. If SSL 3.0 is disabled on your browser, POODLE cannot downgrade the cryptographic protocol to use it. Refer to the following article on How to disable SSL 3.0 in all major browsers (IE, Chrome, and FireFox)

https://www.digicert.com/ssl-support/disabling-browser-support-ssl-v3.htm

Please note that plenty of websites are still using SSLv3. If you disable SSL 3.0 from your browser, those sites might not work well for you.

How do I protect my WHM Server against POODLE?

To test your server against POODLE, browse the following page:

https://www.ssllabs.com/ssltest/

Enter any website hosted on your server. This test will assess your server against potential security vulnerabilities and provide you with the full security report.

If you find your WHM server vulnerable in this test, you are recommended to upgrade cPanel/WHM version to 11.44.1.19 to address this vulnerability.

What version of cPanel/WHM I am running?

To determine your cPanel/WHM version, just log into WHM as root and locate the version in the top right of the WHM interface.…..OR

You can fire the following command in terminal:

/usr/local/cpanel/cpanel -V

In order to protect your WHM server against POODLE vulnerability, cPanel has recommended to upgrade the cPanel/WHM software to version 11.44.1.19. cPanel has released version (11.44.1.19) to disable SSLv3 on 22nd October 2014 .

How do I upgrade cPanel/WHM version?

In order to upgrade cPanel/WHM version through terminal, you just need to run following command as a root user:

/scripts/upcp

If you want to upgrade the cPanel/WHM through WHM Control Panel, follow the below mentioned steps:

• Login to WHM and just type “upgrade” in search box.
• You will see “Upgrade to Latest Version”. Click on this option
• If you wish to send cPanel the log files from your update attempt, click the appropriate checkbox.

If you wish to disable this option, disable the Send information about server usage to cPanel for analysis option in WHM’s Tweak Settings interface (Home >> Server Configuration >> Tweak Settings).

• If you wish to force a reinstall of the software, select the appropriate checkbox.
• Click Click to Upgrade.

The newer version will disable SSLv3 support by default. However, in order for those changes to take effect through the update process, the services must be restarted.  Also, once you upgrade your server, you will need to follow the below steps to ensure that SSLv3 is properly disabled.

For Apache

1. Go to WHM => Service Configuration => Apache Configuration => Global Configuration.
2. SSL/TLS Cipher Suite (the second option, not “SSL Cipher Suite”) should contain “All -SSLv2 -SSLv3”.
3. Go to the bottom of the page, and select the Save button to restart the service.

Note about Mail Servers

The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version.

For cpsrvd

1. Go to WHM => Service Configuration => cPanel Web Services Configuration
2. Make sure that the “TLS/SSL Protocols” field contains “SSLv23:!SSLv2:!SSLv3”.
3. Select the Save button at the bottom.

For cpdavd

1. Go to WHM => Service Configuration => cPanel Web Disk Configuration
2. Make sure that the “TLS/SSL Protocols” field contains “SSLv23:!SSLv2:!SSLv3”.
3. Select the Save button at the bottom.

For Dovecot

1. Go to WHM => Service Configuration => Mailserver Configuration
2. SSL Protocols should contain “!SSLv2 !SSLv3”. If it does not, replace the text in this field.
3. Go to the bottom of the page, and select the Save button to restart the service.

For Courier

Courier has released a new version to mitigate this as of 10/22, until we have an opportunity review, test, and publish the new version of Courier please switch to Dovecot for enhanced security.

For Exim

1. Go to Home => Service Configuration => Exim Configuration Manager
2. Under Advanced Editor, look for ‘openssl_options’.
3. Make sure the field contains “+no_sslv2 +no_sslv3”.
4. Go to the bottom of the page, and select the Save button to restart the service.

Additionally, if you have already performed manual configuration changes on your server to disable SSLv3, you will need to revert those changes.

For Apache

1. Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2. Select a version or All Versions.
3. Remove the following lines from the text box:

SSLHonorCipherOrder On
SSLProtocol +All -SSLv2 -SSLv3

1. Press the Update button to rebuild your Apache configuration.

For cpdavd

1. Go to WHM => Service Configuration => cPanel Web Disk Configuration
2. Make sure that the “TLS/SSL Protocols” field contains “SSLv23:!SSLv2:!SSLv3”.
3. Select the Save button at the bottom.

For Courier

The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version.

For Exim

1. Go to WHM => Service Configuration => Exim Configuration Manager => Advanced Editor.
2. Go to SECTION: Config at the top.
3. Search for openssl_options.
4. Ensure that this setting is set to “+no_sslv2 +no_sslv3” which is the cPanel Default.
5. Go to the bottom of the page, and select the Save button.

How do I secure my Apache Web Server against POODLE?

In order to disable SSLv3 in Apache Web Server, you will need to edit the Apache configuration.

For the Debian and Ubuntu Systems the file you need to modify is /etc/apache2/mods-available/ssl.conf.

Type Command:

sudo nano /etc/apache2/mods-available/ssl.conf

Add following line in Apache configuration with other SSL directives.

SSLProtocol All -SSLv3 -SSLv2

For the CentOS and Fedora Systems the file you need to modify is /etc/httpd/conf.d/ssl.conf.

Command:

sudo nano /etc/httpd/conf.d/ssl.conf

Add following line to Apache configuration with other SSL directives.

SSLProtocol All -SSLv3 -SSLv2

Save and Close the file. Restart the Apache service to enable your changes.

On Ubuntu and Debian systems type following command to restart the Apache service:

sudo service apache2 restart

On CentOS and Fedora Systems type following command to restart the Apache service:

sudo service httpd restart