POODLE Test for SonicWall management interface and SSL-VPN

POODLE Test for SonicWall management interface and  SSL-VPN

The POODLE attack exploits vulnerability in the SSL 3.0 protocol. More particularly, the vulnerability exists when SSL 3.0 uses block ciphers in CBC mode for encryption. There are many online testing tools available to test whether a server is vulnerable.  The management interface and the UTM SSL-VPN feature of the SonicWall UTM appliance supports SSL 3.0, TLS 1.0, and from SonicOS 6.2 onwards, TLS 1.1 and TLS 1.2. As of this writing, SSL 3.0 cannot be disabled in the SonicWall UTM appliances. This will cause the tests to the SonicWall to fail and will report the SonicWall as vulnerable. 

NOTE: For the below test to work you must have a DNS record setup for your SonicWall's public IP. A dynamic DNS account has been used in this example.

For example, here is a snapshot of an online test run from https://www.ssllabs.com/ssltest, which shows the SonicWall as vulnerable to POODLE:


 
However, in SonicOS 5.9.x and above firmware, SonicWall provides a method to mitigate this attack by enabling RC4 ciphers in its SSL negotiation. RC4 uses stream cipher and is not affected by the POODLE attack. The option to enable RC4 only ciphers is available in the diag page of the SonicWall. Enabling this option would force SonicWall to negotiate SSL connections using RC4-SHA1 or RC4-MD5.  For more information on how to enable this option, see How to enable RC4-only cipher suites in the SonicWall

After enabling this option, online POODLE tests will show the SonicWall as NOT vulnerable. For example, here is a snapshot of an online test run after enabling this option, which shows the SonicWall as NOT vulnerable to POODLE: