Return Of Bleichenbacher Oracle Threat [ROBOT]

ROBOT – Return Of Bleichenbacher Oracle Threat, is an attack model based on Daniel Bleichenbacher chosen-ciphertext attack. Bleichenbacher discovered an adaptive-chosen ciphertext attack against protocols using RSA, he demonstrated the ability to perform RSA private-key operations.  Researchers have been able to exploit the same vulnerability with small variations to the Bleichenbacher attack.

Attack Model
PKCS #1 v1.5 padding mode used in SSL  error messages is susceptible to  adaptive-chosen ciphertext attack. It compromises the confidentiality of TLS when it is used with RSA. It allows attacker to decrypt ciphertexts or sign messages with the server’s private key, decrypt previously recorded sessions . ROBOT attack does not recover server’s private key.

Services that support TLS with RSA are vulnerable to offline attacks. Hosts supporting forward secrecy with RSA are vulnerable to man in the middle attack as the attacker is able to sign messages using private key, but this approach has limitations. The vulnerability is a result of an implementation bug in the server code. The researchers claim that many websites on the Alexa top 100 are vulnerable. They have identified many vendors like F5,Citrix,Cisco etc. to be affected by this vulnerability. Currently there is no PoC publicly available.

Mitigation
Please use Qualys SSL Labs tool to test for ROBOT attack, the result will be listed under “Protocol Details” section of the report under the name “Bleichenbacher vuln“. We request our clients to apply the latest patches as released by the respective vendors, if patching is not immediately possible please consider disabling RSA encryption-based key exchange modes where possible . Scan your network with the QID’s listed below to detect vulnerable targets. Qualys will continue to add more detection as vendors release there fixes to address ROBOT attack.

QID Description
370661 F5 BIG-IP ASM OpenSSL Man in the Middle Vulnerability (K21905460) (ROBOT Attack / Bleichenbacher Attack)
370683 Citrix NetScaler ADC and Gateway TLS Padding Oracle Vulnerability (CTX230238) (ROBOT Attack / Bleichenbacher Attack)

Please continue to follow Qualys Threat Protection for information about this vulnerability.

References
The ROBOT Attack
Return Of Bleichenbacher’s Oracle Threat
VERT Threat Alert: Return of Bleichenbacher’s Oracle Threat (ROBOT)
Bleichenbacher Attack on TLS Affecting Cisco Products: December 2017

Leave a Reply

Your email address will not be published. Required fields are marked *