ROBOT Attack

ROBOT Attack


OVERVIEW

A vulnerability in the RSA cryptography used by TLS implementations has recently been disclosed. Transport Layer Security (TLS) is a mechanism for a security transport over network connections. The ROBOT Attack is based on a 19-year-old vulnerability discovered by Daniel Bleichenbacher that allows an attacker to decrypt arbitrary ciphertext without access to the RSA private key.

THREAT INTELLIGENCE

At this time we are not aware of this vulnerability being exploited in the wild. Our Threat Intelligence team will continue to monitor for updates as more information becomes available.

VULNERABILITIES

  • CVE-2017-6168 – (F5) BIG-IP SSL vulnerability
  • CVE-2017-17382 – (Citrix) TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
  • CVE-2017-17427 – (Radware) Security Advisory: Adaptive chosen-ciphertext attack vulnerability
  • CVE-2017-17428 – (Cisco ACE) Bleichenbacher Attack on TLS Affecting Cisco Products
  • CVE-2017-13098 – (Bouncy Castle) Fix deployed in v1.59 beta 9.
  • CVE-2017-1000385 – (Erlang) Fix deployed in OTP 18.3.4.7, OTP 19.3.6.4, OTP 20.1.7
  • CVE-2017-13099 – (WolfSSL) Fix has been merged on Github.
  • CVE-2016-6883 – (MatrixSSL) Fix deployed in v3.8.3.
  • CVE-2012-5081 – (Java / JSSE) Oracle Critical Patch Update Advisory

SYSTEMS AFFECTED

Vulnerable implementations from the following vendors have been identified. Any hosts that only support RSA encryption key exchanges could be affected and any protocol that uses RSA PKCS #1 v1.5 is at risk of exploitation.

  • F5
  • Cisco ACE
  • Bouncy Castle
  • Erlang
  • Citrix
  • WolfSSL
  • Radware
  • Matrix SSL
  • Java / JSSE

TECHNICAL SUMMARY

The ROBOT attack is a cryptographic padding oracle attack that exploits a vulnerability in the key exchange of TLS implementations that use RSA cryptography. Implementations may leak information to an attacker when handling PKCS #1 v1.5 padding errors in a way that allows the attacker to distinguish between valid and invalid messages. Using those discrepancies in the TLS error messages, the attacker can obtain the private RSA key used by TLS to decrypt sensitive data. This type of attack is known as a Bleichenbacher attack. The authors were able to demonstrate this vulnerability by signing a test method with Facebook’s private key.

For hosts that use forward secrecy, but still support a vulnerable RSA encryption key exchange, the risk depends on how fast an attacker is able to perform the attack. The authors further theorize that server impersonation or man-in-the-middle attacks are possible, but more challenging. For further information, please reference the authors’ whitepaper ateprint.iacr.org/2017/1189.

RECOMMENDATIONS

We recommend the following actions be taken:

  • Install updates for affected products (if available).
  • Disable ciphers that start with TLS_RSA.
      Compatibility risk should be low. Cloudflare data shows that only around one percent of connections they see use RSA encryption.
  • A vulnerability checker is available through robotattack.org (This is a third party application that has not been vetted by Masergy for safety or effectiveness. Use at your own discretion.)

REFERENCES

CVE
US-CERT
Hanno Bock, et. al
F5
Citrix
Radware
Cisco
Bouncy Castle
  • downloads.bouncycastle.org/betas/github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
Erlang
WolfSSL
MatrixSSL
Oracle

We've updated our privacy policy. We use cookies to improve the experience of our users, better understand how our website is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. You can read more and make cookie choices by visiting our privacy policy.