Vulnerability Note VU#144389
TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding
Original Release date: 12 Dec 2017 | Last revised: 09 Apr 2018

Overview
TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding, and may therefore be vulnerable to Bleichenbacher-style attacks.

This attack is known as a "ROBOT attackquot;.

Description
CWE-203: Information Exposure Through Discrepancy
Transport Layer Security (TLS) is a mechanism for a security transport over network connections, and is defined in RFC 5246.

TLS may utilize RSA cryptography to secure the connection, and section 7.4.7 describes how client and server may exchange keys.
Implementations that don’t closely follow the descriptions in RFC 5246 may leak information to an attacker when they handle PKCS #1 v1.5 padding errors in ways that lets the attacker distinguish between valid and invalid messages.

An attacker may utilize discrepancies in TLS error messages to obtain the pre-master secret key private RSA key used by TLS to decrypt sensitive data.

This type of attack has become known as a Bleichenbacher attack.

CERT/CC previously published CERT Advisory CA-1998-07 for this type of attack.
Some modern cryptographic implementations are vulnerable to Bleichenbacher-style attacks on TLS. While RFC 5246 Section 7.4.7.1 provides advice in order to eliminate discrepancies and defend against Bleichenbacher attacks, implementation-specific error and exception handling may nevertheless re-introduce message discrepancies that act as a cryptographic oracle for a Bleichenbacher-style attack.
More information about the research and affected vendors is available from the researcher’s website.

Impact
A remote, unauthenticated attacker may be able to obtain the TLS pre-master secret (TLS session key) and decrypt TLS traffic.

Solution
Disable TLS RSA

Affected users and system administrators are encouraged to disable TLS RSA cyphers if possible. Please refer to your product’s documentation or contact the vendor’s customer service.

Apply an update

Some products may have software updates available to address this issue.
If an update is available, affected users are encouraged to update product software or firmware. Please see the Affected Vendors list below for more information.

Note for developers

RFC 5246 contains remediation advice for Bleichenbacher-style attacks.

Developers are encouraged to review the advice and ensure implementations of TLS or software that utilizes a TLS library does not introduce further message or timing discrepancies that may be used in a Bleichenbacher-style attack.

Vendor Information (Learn More)
The Vendor Information section below lists implementations and vendors that have been identified as vulnerable TLS implementations.
Separate CVE IDs for each vendor have been assigned due to the implementation-specific nature of the vulnerability.

VendorStatusDate NotifiedDate UpdatedCiscoAffected15 Nov 201714 Dec 2017
CitrixAffected15 Nov 201712 Dec 2017
ErlangAffected-12 Dec 2017
F5 Networks, Inc.Affected15 Nov 201720 Nov 2017
Legion of the Bouncy CastleAffected15 Nov 201712 Dec 2017
MatrixSSLAffected15 Nov 201712 Dec 2017
Micro FocusAffected15 Nov 201722 Mar 2018
wolfSSLAffected12 Dec 201712 Dec 2017
BotanNot Affected15 Nov 201720 Nov 2017
Check Point Software TechnologiesNot Affected-14 Dec 2017
Dell EMCNot Affected15 Nov 201729 Nov 2017
Fortinet, Inc.Not Affected-22 Dec 2017
GnuTLSNot Affected15 Nov 201713 Dec 2017
IAIK Java GroupNot Affected15 Nov 201706 Dec 2017
Microsoft CorporationNot Affected15 Nov 201712 Dec 2017If you are a vendor and your product is affected, let
us know.View More &raquo

CVSS Metrics (Learn More)

Group
Score
Vector

Base
7.1
AV:N/AC:M/Au:N/C:C/I:N/A:N

Temporal
5.6
E:POC/RL:OF/RC:C

Environmental
4.2
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://robotattack.org
https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-meyer.pdf
http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf
https://www.cert.org/historical/advisories/CA-1998-07.cfm
https://tools.ietf.org/html/rfc5246#section-7.4.7.1
http://cwe.mitre.org/data/definitions/203.html

Credit

Thanks to Hanno Boeck, Juraj Somorovsky of Ruhr-Universität Bochum / Hackmanit GmbH, and Craig Young of Tripwire VERT for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2017-6168
CVE-2017-1000385
CVE-2017-17427
CVE-2017-13098
CVE-2017-13099
CVE-2017-17428
CVE-2017-17382
CVE-2012-5081
CVE-2016-6883

Date Public:
12 Dec 2017

Date First Published:
12 Dec 2017

Date Last Updated:
09 Apr 2018

Document Revision:
101

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply