ROBOT Attack

ROBOT Attack


A vulnerability in the RSA cryptography used by TLS implementations has recently been disclosed. Transport Layer Security (TLS) is a mechanism for a security transport over network connections. The ROBOT Attack is based on a 19-year-old vulnerability discovered by Daniel Bleichenbacher that allows an attacker to decrypt arbitrary ciphertext without access to the RSA private key.


At this time we are not aware of this vulnerability being exploited in the wild. Our Threat Intelligence team will continue to monitor for updates as more information becomes available.


  • CVE-2017-6168 – (F5) BIG-IP SSL vulnerability
  • CVE-2017-17382 – (Citrix) TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
  • CVE-2017-17427 – (Radware) Security Advisory: Adaptive chosen-ciphertext attack vulnerability
  • CVE-2017-17428 – (Cisco ACE) Bleichenbacher Attack on TLS Affecting Cisco Products
  • CVE-2017-13098 – (Bouncy Castle) Fix deployed in v1.59 beta 9.
  • CVE-2017-1000385 – (Erlang) Fix deployed in OTP, OTP, OTP 20.1.7
  • CVE-2017-13099 – (WolfSSL) Fix has been merged on Github.
  • CVE-2016-6883 – (MatrixSSL) Fix deployed in v3.8.3.
  • CVE-2012-5081 – (Java / JSSE) Oracle Critical Patch Update Advisory


Vulnerable implementations from the following vendors have been identified. Any hosts that only support RSA encryption key exchanges could be affected and any protocol that uses RSA PKCS #1 v1.5 is at risk of exploitation.

  • F5
  • Cisco ACE
  • Bouncy Castle
  • Erlang
  • Citrix
  • WolfSSL
  • Radware
  • Matrix SSL
  • Java / JSSE


The ROBOT attack is a cryptographic padding oracle attack that exploits a vulnerability in the key exchange of TLS implementations that use RSA cryptography. Implementations may leak information to an attacker when handling PKCS #1 v1.5 padding errors in a way that allows the attacker to distinguish between valid and invalid messages. Using those discrepancies in the TLS error messages, the attacker can obtain the private RSA key used by TLS to decrypt sensitive data. This type of attack is known as a Bleichenbacher attack. The authors were able to demonstrate this vulnerability by signing a test method with Facebook’s private key.

For hosts that use forward secrecy, but still support a vulnerable RSA encryption key exchange, the risk depends on how fast an attacker is able to perform the attack. The authors further theorize that server impersonation or man-in-the-middle attacks are possible, but more challenging. For further information, please reference the authors’ whitepaper


We recommend the following actions be taken:

  • Install updates for affected products (if available).
  • Disable ciphers that start with TLS_RSA.
      Compatibility risk should be low. Cloudflare data shows that only around one percent of connections they see use RSA encryption.
  • A vulnerability checker is available through (This is a third party application that has not been vetted by Masergy for safety or effectiveness. Use at your own discretion.)


Hanno Bock, et. al
Bouncy Castle