POODLE vulnerability alert

Last updated: July 4, 2018

Recently, you may have received a letter and/or email from Virgin Media explaining that a device on your network could have a vulnerability known as Padding Oracle On Downgraded Legacy Encryption (POODLE). If you’ve received this note from us, please follow the advice on this page to fix the problem.

Overview

SSL (Secure Sockets Layer) is a security protocol for establishing an encrypted link between a server and a device. A POODLE vulnerability is a security issue where a third party can use this protocol to access personal and financial data being sent from your network or devices.

If the vulnerability is not fixed, your personal and financial information could be at risk.

What has happened?

We work with a number of not-for-profit organisations across the banking industry and security sectors that collate information on devices across the internet that appear to be compromised or misconfigured. They’ve picked up that a device on your network is likely to have been misconfigured, so is publicly accessible on the internet.

For more information on these reports please visit poodlescan.shadowserver.org*.

We think a device connected to your home network may have a Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability. This is where a system running an old version of the SSL protocol is accessible on the internet, meaning a third party could access data passing to and from the affected system.

How to fix the problem

If you have basic knowledge of computers and connected devices, there’s a number of steps you can take to secure your home network.

Pick a scenario that best fits your home network for advice on how to fix this issue**:

If you're running a Network Attached Storage (NAS) drive on your network, we recommend disabling SSLv3 support on your server. The way to do this differs between makes and models of these systems, so we recommend you take a look at the help documents for your NAS drive for how to disable SSLv3 support.

If it's not possible to disable SSLv3 support on your NAS drive, then we recommend disallowing access to your NAS drive's web server from outside your home by blocking port 443. This means third parties on the internet won't be able to exploit the POODLE vulnerability on your NAS drive to gain personal information passing to or from it.

It's worth noting that blocking port 443 only stops traffic from entering or leaving your home network over this port, services that use port 443 should continue to work as normal.

To do this, please follow the instructions below:

Virgin Media Hub 3

To close the vulnerable port on the Virgin Media Hub 3:

  • Go to your Hub's configuration page – default web address: 192.168.0.1
  • Log in with your username and password, default will be shown on the Hub itself
  • Select 'Security' on the left side of the page
  • Select the 'Port Forwarding' option
  • Remove any rules that will keep port 443 open
  • Select the 'Port Triggering' option
  • Remove any rules that will keep port 443 open
Virgin Media Super Hub

To ensure port 443 is closed on the Super Hub 1 or 2's firewall:

  • Go to your Hub's configuration page – default web address: 192.168.0.1
  • Log in with your username and password, default will be shown on the Hub itself
  • Select 'Advanced Settings' and accept the prompt
  • Scroll down to the 'Security' section
  • Select the 'Port Forwarding' option
  • Tick the 'Delete' box next to any rules that will keep port 443 open
  • Click the 'Apply' option
  • Select the 'Port Triggering' option
  • Tick the 'Delete' box next to any rules that will keep port 443 open
  • Click the 'Apply' option
Third party routers

If you use a third party router in alongside your Virgin Media Super Hub or Hub 3, your router's firewall will need to be configured to ensure port 443 isn’t accessible outside of your local network. You can do this by blocking the port or removing any Port Forwarding rules for port 443. To find out how to do this for your router, take a look at the documents for your device or the manufacturer's website.

If you’re running a CCTV system on your network, we recommend disabling SSLv3 support on your CCTV server. The way to do this differs between makes and models of these systems, so we recommend you take a look at the help documents for your CCTV system for how to disable SSLv3 support.

If it’s not possible to disable SSLv3 support on your CCTV system, then we’d recommend disabling access to your CCTV web interface from outside your home network by blocking port 443. Disallowing access to your CCTV system’s web server from outside your home means third parties won’t be able to exploit the POODLE vulnerability on your CCTV system to take personal information passing to or from it.

It’s worth noting that blocking this port only stops traffic from entering or leaving your home network over this port, services that use port 443 should continue to work as normal.

To do this, please follow the instructions below:

Virgin Media Hub 3

To close the vulnerable port on the Virgin Media Hub 3:

  • Go to your Hub's configuration page – default web address: 192.168.0.1
  • Log in with your username and password, default will be shown on the Hub itself
  • Select 'Security' on the left side of the page
  • Select the 'Port Forwarding' option
  • Remove any rules that will keep port 443 open
  • Select the 'Port Triggering' option
  • Remove any rules that will keep port 443 open
Virgin Media Super Hub

To ensure port 443 is closed on the Super Hub 1 or 2's firewall:

  • Go to your Hub's configuration page – default web address: 192.168.0.1
  • Log in with your username and password, default will be shown on the Hub itself
  • Select 'Advanced Settings' and accept the prompt
  • Scroll down to the 'Security' section
  • Select the 'Port Forwarding' option
  • Tick the 'Delete' box next to any rules that will keep port 443 open
  • Click the 'Apply' option
  • Select the 'Port Triggering' option
  • Tick the 'Delete' box next to any rules that will keep port 443 open
  • Click the 'Apply' option
Third party routers

If you use a third party router alongside your Virgin Media Super Hub or Hub 3, your router's firewall will need to be configured to ensure port 443 is not accessible outside of your local network. You can do this by blocking the port or removing any Port Forwarding rules for port 443. To find out how to do this for your router, take a look at the documents for your device or the manufacturer's website.

If you’ve set up a web server running on a Windows system, we recommend disabling SSLv3 support on the server. Visitors to your website shouldn’t face any issues providing they’re using a reasonably up-to-date web browser.

If you’re using the IIS web server software, you can do this by adding the following lines in a plain text file named disable_ssl3.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

Save the file disable_ssl3.reg on your server then double click it.

If you’re running another web server software on your Windows system, we recommend you take a look at the help documents for the software to find out how to disable SSLv3 support.

It’s worth noting that SSL has largely been replaced by a similar protocol, Transport Layer Security (TLS). If it’s supported, we’d recommend ensuring your traffic is passing over TLS.

If you’ve set up a web server running on a Unix-based or Unix-like system (Linux, FreeBSD, macOS etc.) on your home network then we recommend disabling SSLv3 support on the server. Visitors to your website shouldn’t face any issues providing they’re using a reasonably up-to-date web browser.

To disable SSLv3, please follow advice for the web server software you’re running. Admin privileges are required on your system to be able to run these commands.

It’s also worth noting that SSL has largely been replaced by a similar protocol, Transport Layer Security (TLS). If it’s supported, we’d recommend ensuring your traffic is passing over TLS.

Apache

Put the following line in your configuration file, or replace any existing line starting with SSLProtocol:

SSLProtocol all -SSLv2 -SSLv3

Then run: sudo apache2ctl configtest && sudo service apache2 restart

Nginx

Put the following line in your configuration file, or replace any existing line starting with ssl_protocols:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Then restart the server (in Ubuntu: sudo service nginx restart).

Lighttpd

Lighttpd releases before 1.4.28 allow you to disable SSLv2 only.

If you’re running at least 1.4.29, put the following lines in your configuration file:

ssl.use-sslv2 = "disable"

ssl.use-sslv3 = "disable"

Then restart the server (in Ubuntu: sudo service lighttpd restart).

Other web server software

If you’re running another web server software on your system, we recommend you refer to help documents for your software for how to disable SSLv3 support.

If you’re not aware of any web servers, Network Attached Storage (NAS) drives or CCTV systems on your network, then it’s likely another device on your home network has been set up to act as a web server. This could be anything that’s connected to your internet connection, but it’s most likely going to be a computer rather than a mobile device or similar.

If you do not require the website hosted on your home network to be accessible from outside your home network (i.e. reachable from the internet), then it will be safe to configure your broadband router to block requests to access the web server that potentially has the POODLE vulnerability.

It’s worth noting that blocking this port will only stop traffic leaving or entering your home network from this port. Services that use port 443 should continue to work as normal.

Virgin Media Hub 3

To close the vulnerable port on the Virgin Media Hub 3:

  • Go to your Hub's configuration page – default web address: 192.168.0.1
  • Log in with your username and password, default will be shown on the Hub itself
  • Select 'Security' on the left side of the page
  • Select the 'Port Forwarding' option
  • Remove any rules that will keep port 443 open
  • Select the 'Port Triggering' option
  • Remove any rules that will keep port 443 open
Virgin Media Super Hub

To ensure port 443 is closed on the Super Hub 1 or 2's firewall:

  • Go to your Hub's configuration page – default web address: 192.168.0.1
  • Log in with your username and password, default will be shown on the Hub itself
  • Select 'Advanced Settings' and accept the prompt
  • Scroll down to the 'Security' section
  • Select the 'Port Forwarding' option
  • Tick the 'Delete' box next to any rules that will keep port 443 open
  • Click the 'Apply' option
  • Select the 'Port Triggering' option
  • Tick the 'Delete' box next to any rules that will keep port 443 open
  • Click the 'Apply' option
Third party routers

If you use a third party router alongside your Virgin Media Super Hub or Hub 3, your router's firewall will need to be configured to ensure port 443 isn’t accessible outside of your local network. You can do this by blocking the port or removing any Port Forwarding rules for port 443. To find out how to do this for your router, take a look at the documents for your device or the manufacturer's website.

 

Where can I find further information and advice?

If you’d like further advice then our forum community will be happy to help. Just visit virginmedia.com/community and join the conversation on our Security Matters board.

You can find general security advice and articles on other vulnerabilities by checking Security Hub at virginmedia.com/securityhub

* These links to external sites are provided as a courtesy and we are not responsible for the content of these sites or any problems encountered whilst applying these steps and we are not able to provide any technical support for such problems.

** These fixes are provided as a courtesy and we are not responsible for any problems encountered whilst applying these steps and we are not able to provide any technical support for such problems.


Need more help


    Ask our community

  • Helpful, friendly forums
  • Packed with tips and advice
  • Staffed by Virgin Media

   


    Contact us

  • Get in touch with our friendly team
  • Waiting times may vary
  • Free from Virgin Media phones or mobile