Problem

Is Transfer CFT vulnerable to POODLE ?

CVE-2014-3566

Resolution

Background:

The OpenSSL POODLE allows an attacker to downgrade the “to be established” cipher suite, for example, from TLS 1.x to SSL 3.0.

To execute the attack, an adversary must take control of the victim’s Internet connection (which triggers a connection failure) and have the ability to run some JavaScript inside the victim’s browser.

The USG CVE rating for the CVE-2014-3566 (aka POODLE) attack is 4.3.

Solution:

Transfer CFT and its GUI Copilot can be set to prohibit the usage of SSL V3

Check the documentation for the below UCONF variables:

cft.ssl.version_min AND copilot.ssl.version_min

Note: Even if SSL V3 is not prohibited for the transfer flows, none of the CFT established sessions can be used to remotely execute a JavaScript.