Data Security, Encryption, Network Security, Patch/Configuration Management, Vulnerability Management

TLS exploit ‘ROBOT’ capitalizes on 19-year-old vulnerability; vendors issue patch

Researchers recently discovered that a nearly two-decade-old vulnerability in TLS stacks was still exploitable due to insufficient protective countermeasures some used by highly popular websites and thereby endangering users of multiple TLS servers and devices, 

The flaw, which allows malicious actors to capture and decrypt a TLS server's RSA-encrypted traffic – potentially enabling server impersonation and man-in-the-middle attacks – was observed in 27 of the top 100 domains ranked by Alexa, including those operated by Facebook and PayPal, according to a newly released report.

The vulnerability was originally identified in 1998 in the Secure Sockets Layer (SSL) 3.0 protocol by Daniel Bleichenbacher, who discovered that PKCS (Public-Key Cryptography Standards) #1 1.5 padding errors can lead to SSL servers creating error messages with various discrepancies, which attackers can leverage to gradually decipher RSA-encrypted content. This breed of chosen ciphertext attack is otherwise known as the Bleichenbacher or million message attack.

After Bleichenbacher revealed his attack method, various countermeasures were put in place to curtain such exploits, but the researchers found that some minor tweaks made the attacks viable again, even in HTTPS-based data transport between networks. The researchers – Hanno Bock and Juraj Somorovsky from German web application security company Hackmanit GmbH, and Craig Young from Tripwire VERT – named their new variation of the exploit ROBOT, which stands for Return of Beichenbacher's Oracle Threat.

“The current vulnerabilities are the result of a general failure to properly implement or test these [previous] countermeasures in popular products,” states Young in a Tripwire VERT security update.

The trio of researchers found vulnerable implementations in TLS stacks from F5, Citrix, Radware, Cisco, Bouncy Castle, Erlang, and Wolf SSL, as well as several more vendors that still have fixes pending and thus were not publicly named. (The researchers also noted that TLS stacks from MatrixSSL and JSSE contained different, older vulnerabilities, but were included in the report because “we still see vulnerable hosts.”)

Aside from applying vendor updates, the researchers recommend users disable RSA encryption – specifically all ciphers that start with TLS_RSA. “Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures,” explain the researchers in their report. “We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky, these modes also lack forward secrecy.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.