Back to Insights

A blast from the past - Bug from 1998 makes comeback

December 13, 2017 at 11:14

On Tuesday December 12, 2017 researchers Hanno Böck and Juraj Somorovsky announced a “new but old” vulnerability (The ROBOT Attack) found from certain TLS implementations. The vulnerability is (based on current knowledge) limited to certain TLS implementations and based on current information available most of TLS or RSA implementations are not affected.

First, some history:

In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.

After the bug was announced in 1998 the issue was remediated in TLS implementations, although the remediation was not trivial.

Now the new research has proven that apparently the vulnerability has not been fixed properly in at least the products below having TLS in use. Instead, slightly modified versions of the attack can be used to break the TLS encryption in certain cases even today. In worst case, this may lead to complete compromise of encrypted communications using vulnerable implementations. This vulnerability, however, does not compromise private keys on the server like e.g. Heartbleed did, only the communications and thus the change of private keys in server is not necessary.

Currently known list of affected products include:

  • F5 BIG-IP SSL vulnerability CVE-2017-6168
  • Citrix TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway CVE-2017-17382
  • Radware Security Advisory: Adaptive chosen-ciphertext attack vulnerability CVE-2017-17427
  • Cisco ACE Bleichenbacher Attack on TLS Affecting Cisco Products, End-of-Sale and End-of-Life CVE-2017-17428
  • Bouncy Castle Fix in 1.59 beta 9, Patch / Commit    CVE-2017-13098
  • Erlang OTP 18.3.4.7, OTP 19.3.6.4, OTP 20.1.7 CVE-2017-1000385
  • WolfSSL Github PR / patch CVE-2017-13099
  • MatrixSSL Changes in 3.8.3 CVE-2016-6883
  • Java / JSSE Oracle Critical Patch Update Advisory - October 2012  CVE-2012-5081

Researchers also published tools to test if you’re affected (https://robotattack.org/).

Anyone having TLS implementation affected by this should:

  • Install the update provided by the product vendor
  • If update is not available disable TLS cipher modes that use RSA encryption
  • Using PFS (perfect forward secrecy) creates additional protection against attacks by making it more complex

Researchers have provided a nice webpage with plenty of information (https://robotattack.org/) so if you’re interested of the details go and take a look.

There is also a lesson to learn here. Often when vulnerabilities are fixed in products or services, the fixes concentrate on the exact issue reported and may fail to identify the actual root cause creating the vulnerability or fail to recognize the magnitude of the impact. This may lead to this kind of scenarios where the bugs and vulnerabilities make comeback later with slightly modified attacks.