1998 Vintage Cryptography Vulnerability Known As ROBOT Re-Emerges

Security researchers disclosed a vulnerability dubbed ROBOT on Dec. 12 that is based on an encryption risk that was first disclosed in 1998. Multiple hardware vendors and well-known public websites were potentially at risk from the flaw, which has now been patched.

The Return Of Bleichenbacher’s Oracle Threat (ROBOT) was reported by security researchers Hanno Böck, Juraj Somorovsky and Craig Young.

“Many web hosts are still vulnerable to one of the oldest attacks against RSA in TLS,” the researcher abstract stated. “We show that Bleichenbacher’s RSA vulnerability from 1998 is still very prevalent in the Internet and affects almost a third of the top 100 domains in the Alexa Top 1 Million list, among them Facebook and Paypal.”

ROBOT Cryptography

“In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack,” an FAQ on the ROBOT attack states. “This attack fully breaks the confidentiality of TLS when used with RSA encryption.”

The researchers discovered that the same attack with slight varation is still possible against modern websites. There are multiple impacted vendors that include SSL/TLS in their products including Cisco, F5 and Citrix. Craig Young, security researcher at Tripwire and a co-author of the ROBOT research said that he was not terribly surprised to find that there were still SSL/TLS implementations that were vulnerable to the Bleichenbacher attack.

What was surprising to him was that the researchers were able to find reliable attacks on equipment serving so many prominent web sites.

“It has been pretty well-known in the crypto community for some time that the Bleichenbacher countermeasures are difficult to get right,” Young told eWEEK. “One of the driving forces behind this research was to demonstrate conclusively why RSA encryption based key exchange modes should be deprecated from use.”

“We are also aware that other researchers have designed tools for exploiting Bleichenbacher including published algorithms as referenced in our paper,” Young said. “After sufficient time has passed for patch deployment, our attack code will be released for others to study and build upon.”

Tod Beardsley, director of research at security firm Rapid7 commented that he was surprised at the number of sites and vendors that were at risk from the flaw.

“We already have much better key exchange and padding functions widely available today and there is no good reason to keep these around,” Beardsley told eWEEK. “But, I suppose that shouldn’t be too surprising—the internet is pretty sticky when it comes to hanging on to old technologies.”

What Should Users Do?

There is a simple test available that can help organizations to determine if they are at risk from ROBOT. Additionally multiple vendors have issued patches to help mitigate the risk. A full list of vendor patches is available here.

Another option to help mitigate the risk, is the use of the TLS 1.3 protocol which is expected to become a formal standard in 2018. Young noted that the decision was made early on in the standards process that TLS 1.3 will not use the vulnerable static RSA key exchanges that make the ROBOT attack possible.

Beardsley commented that the best thing IT administrators can do today is to see if they’re still providing the affected RSA cyphers and disable those for any service where cryptographic security is desired.

“Also, IT administrators should make it a habit to scan their own environment today, and going forward, in order to catch new TLS endpoints that offer these deprecated RSA ciphers,” Beardsley said. “This should be part and parcel of any normal, routine vulnerability scanning that mature security organizations already perform.

Originally published on eWeek

Quiz: Do you know all about security in 2017?