Researchers have disclosed vulnerability (CVE -2014-3566) in the SSLv3 version of the SSL (Secure Sockets Layer) protocol to MITM (Man-in-the-Middle)attacks known as POODLE (Padding Oracle On Downgraded Legacy Encryption). The vulnerability requires SSLv3 to be allowed and used by both the client and server. Note that SSLv3 has been subsequently replaced by newer TLS (Transport Layer Security) protocol versions TLSv1.0, TLSv1.1, TLSv1.2. To remediate, either the client or server should be configured to use only TLSv1.0 or above.
Recommended Action: The easiest way to remediate the vulnerability is to disable SSLv3 on web browsers and servers.
SonicWall Next-Generation Firewall customers can protect their infrastructure by taking these actions:
Use Application Control to block SSLv3 connections following instructions in this KB article.
The SonicWall Threat Research Team has issued a signatureto prevent SSL downgrade attacks related to the SSLv3 vulnerability and this KB articledetails on how to enable the IPS signature.
Recommendations for other SonicWall Solutions:
SonicWall SMB SRA
SMB SRA Firmware
All 7.5 versions prior to 220.127.116.11-29sv All 7.0 and earlier versions prior to 18.104.22.168-5sv
SSLv3 support has been removed in these releases: Upgrade 7.5 to 22.214.171.124-31sv (or newer) Upgrade 7.0 to 126.96.36.199-7sv (or newer)
SonicWall E-Class SRA
All versions prior to 11.1 All versions prior to 10.7.1
Disable Aventail SSLVPN support for SSLv3 via the management console. Disable SSLv3in web browser used to access the web management console. SSLv3 support will be removed in subsequent releases.