The security community recently identified a new vulnerability in the SSLv3 protocol, known as POODLE (Padding Oracle On Downgraded Legacy Encryption). This article helps you understand POODLE and the steps you should take to protect your systems. We also discuss steps we are taking at LogMeIn to protect you against POODLE and similar vulnerabilities now and into the future.
Are LogMeIn Products vulnerable?
The latest versions of LogMeIn products and services are not impacted by POODLE. Since the vast majority of our customers receive auto-updates, most users can rest assured that they are protected against such attacks. We’ve included the latest version numbers below and have provided an easy way to check your version and update if required.
How about your browser?
It’s important to understand that only the older SSLv3 protocol is vulnerable. Most modern browsers support protocols other than SSLv3, so unless you are using Internet Explorer 6 (IE 6), you’re in good shape. If you are using IE 6, we strongly recommend that you upgrade to Internet Explorer 7 (or above) or choose an alternative browser, such as Firefox, Opera or Chrome.
Use this third-party service to check your browser for vulnerability: https://www.poodletest.com/
If you remain on IE 6, keep in mind that IE 6 is NOT SUPPORTED and you will experience problems:
- From any LogMeIn website, you will receive the following message: “Internet Explorer cannot display the webpage”
- When attempting to use the LogMeIn Client, you will be unable to login or connect
But there’s a slight catch…
Even modern browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. Even when both sides of the connection support higher, more secure protocols, an active man-in-the-middle POODLE attack can utilize the one-sided weakness and downgrade the connection to SSLv3 and exploit the protocol’s vulnerability to gain access to the encrypted connection.
And a solution!
If either side of the connection explicitly disallows SSLv3 then the vulnerability cannot be exploited.
- As a browser user, it’s best to disable SSLv3 in your browser. This will actually be done for you in the next versions of most popular browsers, such as Firefox and Chrome.
- As someone running a webserver (like LogMeIn), the best thing to do is totally disable SSLv3 on the server side. And that’s just what LogMeIn will do. To ensure security of all users, we will disable SSLv3 support on our webservers starting today (20th October). The only small downside to this change is that anyone still using Internet Explorer 6 (which does not support the latest protocols) will no longer be able to communicate with any LogMeIn websites.
- Going above and beyond what’s needed to respond to POODLE, we will disable SSLv3 support on all other servers from in coming weeks. This will impact all older versions of LogMeIn products : After this update, only the versions listed below (or newer) will able to access LogMeIn services.
Addition detail about how POODLE works
POODLE represents a broad vulnerability that can potentially allow an attacker to gain access to the contents of encrypted communications. As discussed above, browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. By simulating a failure when establishing a connection to server, an adversary can trick a browser and server into renegotiating their connection via an older protocol (SSLv3). Since the POODLE vulnerability is inherent to the protocol itself, not the server, the problem cannot be patched out like ShellShock and HeartBleed.
Latest LogMeIn product versions
The latest versions of LogMeIn products are NOT affected by the POODLE vulnerability. Here is a list of the latest versions, as well as instructions on how to quickly determine which version you are running and how to manually upgrade, if necessary.
- LogMeIn Pro (LogMeIn Host v126.96.36.19908 and above on Windows or v188.8.131.5205 and above on Mac)(LogMeIn Client version 1.3.422 for Windows and 4.1.4587 for Mac) – How to check
- Rescue Technician Console, Calling Card 7.4 or newer — How to check: Technician Console Options > About LogMeIn Rescue; Calling Card Settings > About
- Cubby 184.108.40.20648 – How to check
- join.me 220.127.116.11 – How to check
- RemotelyAnywhere 11.3.2821 – Latest available here
- AppGuru – Not impacted by POODLE due to LogMeIn webserver updates
- Xively – Not impacted by POODLE due to LogMeIn webserver updates
- Hamachi – Not impacted by POODLE
- Backup 3.0.789 – How to check
- Meldium — Not impacted by POODLE