ROBOT Attack: RSA TLS crypto attack worked against Facebook, PayPal, and tens of 100 top domains
13.12.2017 securityaffairs Krypto

ROBOT ATTACK – Security experts have discovered a 19-year-old flaw in the TLS network security protocol that affects many software worldwide.
The security researchers Hanno Böck and Juraj Somorovsky of Ruhr-Universität Bochum/Hackmanit, and Craig Young of Tripwire VERT, have discovered a 19-year-old vulnerability in the TLS network security protocol in the software several tech giants and open-source projects.

The flaw in RSA PKCS #1 v1.5 encryption affects the servers of 27 of the top 100 web domains, including Facebook and PayPal, it could be exploited by an attacker to decrypt encrypted communications.

The researchers dubbed the flaw ROBOT, which stands for Return Of Bleichenbacher’s Oracle Threat.

“ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.” the researchers explained.

“In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.

We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.”

Today we are still discussing the ROBOT attack because the mitigations drawn up at the time were not enough and many software vendors did not properly implement these protections.

“The real underlying problem here is that the protocol designers decided (in 1999) to make workarounds for using an insecure technology rather than replace it with a secure one as recommended by Bleichenbacher in 1998.” said Young.

ROBOT ATTACK

This ROBOT attack could allow attackers to decrypt RSA ciphertexts without recovering the server’s private key as explained in a security advisory published by CISCO.

“An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions.” states the advisory published by Cisco.

“To exploit this vulnerability, an attacker must be able to perform both of the following actions:

Capture traffic between clients and the affected TLS server.
Actively establish a considerable number of TLS connections to the vulnerable server. The actual number of connections required varies with the implementation-specific vulnerabilities, and could range from hundreds of thousands to millions of connections.”
Fortunately, the vulnerability affects only 2.8% of the top million websites, this small value is due to the fact that the affected library is mainly used for expensive commercial products that are often used to enforce security controls on popular websites.

Similar issues exist in XML Encryption, PKCS#11 interfaces, Javascript Object Signing and Encryption (JOSE), and Cryptographic Message Syntax / S/MIME.

As a proof-of-concept for the ROBOT attack, the experts have demonstrated practical exploitation by signing a message with the private key of facebook.com’s HTTPS certificate.

Facebook was using a patched version of OpenSSL for its vulnerable servers, according to the tech giant the issue was caused by custom patches applied by the company.

Facebook has patched its servers before the disclosure of the paper on the ROBOT attack.

Several vendors have fixes pending, the following list includes patches that are already available.

F5 BIG-IP SSL vulnerability CVE-2017-6168
Citrix TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway CVE-2017-17382
Radware Security Advisory: Adaptive chosen-ciphertext attack vulnerability CVE-2017-17427
Cisco ACE End-of-Sale and End-of-Life CVE-2017-17428
Bouncy Castle Fix in 1.59 beta 9, Patch / Commit CVE-2017-13098
Erlang OTP 18.3.4.7, OTP 19.3.6.4, OTP 20.1.7 CVE-2017-1000385
WolfSSL Github PR / patch CVE-2017-13099
MatrixSSL Changes in 3.8.3 CVE-2016-6883
Java / JSSE Oracle Critical Patch Update Advisory – October 2012 CVE-2012-5081
According to Young, the most interesting attack scenarios see hackers having access to the target’s network traffic, a position that could be obtained by an attacker exploiting the KRACK attack to target a Wi-Fi connection.

The impact of ROBOT attacks is severe, an attacker can steal sensitive and confidential data, including passwords, credit card data, and other sensitive details.

The experts released a python tool to scan for vulnerable hosts so everyone can check his HTTPS server against ROBOT attack.

Researchers also included countermeasures in their paper, they recommend to deprecate the RSA encryption key exchange in TLS and the PKCS #1 v1.5 standard.

“We can therefore conclude that there is insufficient testing of modern TLS implementations for old vulnerabilities. The countermeasures in the TLS standard to Bleichenbacher’s attack are incredibly complicated and grew more complex over time. It should be clear that this was not a viable strategy to avoid these vulnerabilities.
The designers of TLS 1.3 have already decided to deprecate the RSA encryption
key exchange. However, as long as compatibility with RSA encryption
cipher suites is kept on older TLS versions these attacks remain a problem.” concludes the research paper.

“To make sure Bleichenbacher attacks are finally resolved we recommend to fully
deprecate RSA encryption based key exchanges in TLS. For HTTPS we believe
this can be done today”