1998 attack that messes with sites’ secret crypto keys is back in a big way

Share this…

Sites vulnerable to newly revived ROBOT exploit included Facebook and PayPal. A surprisingly big number of top-name websites—Facebook and PayPal among them—recently tested positive for a critical, 19-year-old vulnerability that allowed attackers to decrypt encrypted data and sign communications using the sites’ secret encryption key.

The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn’t have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.

Researchers call the class of crypto vulnerability an Oracle because it provides only “yes” or “no” answers that, over time, can reveal detailed information about the contents of encrypted data. The information allows hackers to carry out what’s known as an “adaptive chosen-ciphertext attack.”

Hiding in plain sight

On Wednesday, a team of researchers said an Internet scan conducted last month found that 27 of the 100 most-visited websites—including Facebook and PayPal—were vulnerable to what was essentially the same attack. About 2.8 percent of the top 1 million sites also tested positive. The researchers also identified developers of firewalls, load balancers, and other large-scale applications that made websites vulnerable to the decryption and impersonation attacks. The findings, the researchers said, underscore the inadequacy of current processes for securing transport layer security, the HTTPS-scheme that’s a cornerstone of Internet security.

“We were able to identify eight vendors and open-source projects and a significant number of hosts that were vulnerable to minor variations of Bleichenbacher’s adaptive-chosen ciphertext attack from 1998,” the researchers wrote in a research paper. “The most notable fact about this is how little effort it took us to do so. We can therefore conclude that there is insufficient testing of modern TLS implementations for old vulnerabilities.”

In a blog post, the researchers were similarly blunt when they wrote:

The surprising fact is that our research was very straightforward. We used minor variations of the original attack and were successful. This issue was hiding in plain sight.

This means neither the vendors of the affected products nor security researchers have investigated this before, although it’s a very classic and well-known attack.

To prove the potential severity of ROBOT—short for “Return Of Bleichenbacher’s Oracle Threat”—the researchers digitally signed a message using the secret key for Facebook’s TLS server. They said Facebook engineers accidentally added the vulnerability to their site when they wrote a custom patch for the OpenSSL crypto library the site used for TLS. The researchers privately notified the social media giant of the vulnerability, and engineers deployed new patches within a week. After refining their ROBOT exploit, the researchers discovered the fix was incomplete. Within a week, Facebook implemented a new fix. Prior to the fix, Facebook’s instagram.com and fbcdn.com domains were also affected, the researchers said.

Websites can also be exposed as a result of using products or projects from a variety of developers. At the moment, the list includes:


F5 BIG-IP SSL vulnerability CVE-2017-6168
Citrix TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway CVE-2017-17382
Radware Security Advisory: Adaptive chosen-ciphertext attack vulnerability CVE-2017-17427
Cisco ACE Bleichenbacher Attack on TLS Affecting Cisco Products, End-of-Sale and End-of-Life CVE-2017-17428
Bouncy Castle Fix in 1.59 beta 9, Patch / Commit CVE-2017-13098
Erlang OTP,
OTP 20.1.7
WolfSSL Github PR / patch CVE-2017-13099
MatrixSSL Changes in 3.8.3 CVE-2016-6883
Java / JSSE Oracle Critical Patch Update Advisory – October 2012 CVE-2012-5081

The researchers aren’t naming developers of other vulnerable software who have fixes pending. The researchers also warned that sites that didn’t test positive in the recent scans may still be vulnerable to variations of the exploit.

No patch for widely used Cisco product

The vulnerability of Cisco’s ACE is concerning, because Cisco stopped supporting it several years ago and the researchers said the company has no plans to patch the product line. Even worse, it’s not possible to disable RSA encryption in the product, leaving users unable to follow one of the few possible workarounds for those unable to patch. What’s more, the researchers said Cisco is currently using ACE to serve content on cisco.com. In an email, Cisco officials wrote:

Cisco is aware of the newly discovered industry-wide vulnerability that potentially affects products that encrypt using RSA Public-Key Cryptography Standard #1 v1.5. When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention. This ensures customers are aware of the vulnerability, so they can put best practices in place to mitigate risk and actively monitor their networks for any potential abnormal behavior.

The Cisco advisory is here.

Exploits typically require an attacker to make tens of thousands of connections to a vulnerable site. The requirement puts ROBOT well below the severity of Heartbleed, the critical 2014 vulnerability in OpenSSL that could be exploited in a matter of seconds. Still, ROBOT is serious enough that it deserves immediate attention. Engineers and administrators should make it a top priority to investigate if their sites are vulnerable, either by using this tool or other means. Anyone using a recently patched product should upgrade as soon as possible. Over the longer term, the researchers recommend sites disable RSA encryption in favor of schemes using the Elliptic-Curve Diffie-Hellman key exchange.