[aklug] "new" RSA vulnerability in some TLS implementations - ROBOT attack

Royce Williams royce at tycho.org
Tue Dec 12 07:13:12 AKST 2017


>From the page:

The Vulnerability

ROBOT is the return of a 19-year-old vulnerability that allows
performing RSA decryption and signing operations with the private key
of a TLS server.

In 1998, Daniel Bleichenbacher discovered that the error messages
given by SSL servers for errors in the PKCS #1 1.5 padding allowed an
adaptive-chosen ciphertext attack; this attack fully breaks the
confidentiality of TLS when used with RSA encryption.

We discovered that by using some slight variations this vulnerability
can still be used against many HTTPS hosts in today's Internet.

How bad is it?

For hosts that are vulnerable and only support RSA encryption key
exchanges it's pretty bad. It means an attacker can passively record
traffic and later decrypt it.

For hosts that usually use forward secrecy, but still support a
vulnerable RSA encryption key exchange the risk depends on how fast an
attacker is able to perform the attack. We believe that a server
impersonation or man in the middle attack is possilbe, but it is more

Who is affected?

We have identifed vulnerable implementations from at least seven
vendors including F5, Citrix, and Cisco. (Current patch status is
listed below.)

Some of the most popular webpages on the Internet were affected,
including Facebook and Paypal. In total, we found vulnerable
subdomains on 27 of the top 100 domains as ranked by Alexa.

More information about the aklug mailing list