Securing AWS ELBs Against CVE-2014-3566 (Poodle)

https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/ says to go into the web interface and change SSL negotiation settings.

What if you have hundreds of ELBs to change? That’ll take FOREVER.

Here’s how to do it using the CLI tools. You’ll want to write a script around these commands.

List Existing Policies:

aws elb describe-load-balancer-policies --load-balancer-name $ELBNAME | grep POLICYDESCRIPTIONS

Create a New Policy That Has SSLv3 Disabled:

aws elb create-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $NEWPOLICYNAME --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2014-10

Configure Your SSL Listener to Use It:

aws elb set-load-balancer-policies-of-listener --load-balancer-name $ELBNAME --load-balancer-port 443 --policy-names $NEWPOLICYNAME

Delete The Old Policy:

aws elb delete-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $OLDPOLICYNAME

Verify SSLv3 Doesn’t Work Anymore:

openssl s_client -ssl3 -connect $ELBHOSTNAME:443

Finally, audit your entire AWS account!

#!/bin/bash
for REGION in $( aws ec2 describe-regions | awk '{ print $NF }' ); do
  for ELB in $( aws elb describe-load-balancers --region $REGION | grep LOADBALANCERDESCRIPTIONS | awk '{ print $2 }' ); do
    echo -n "$REGION $ELB ";
    echo "01 logout" | openssl s_client -ssl3 -connect $ELB:443 2>&1 | grep DONE &> /dev/null
    if [[ "$?" -ne "1" ]]; then
      echo FAIL
    else
      echo PASS
    fi
  done
done

Example output:

us-east-1 fooelb-12345.us-east-1.elb.amazonaws.com FAIL
us-east-1 barelb-67890.us-east-1.elb.amazonaws.com PASS

Dialogue & Discussion