The return of a 19 year old vulnerability

The return of a 19 year old vulnerability

DearBytesBlogThe return of a 19 year old vulnerability

woensdag 13 december 2017

The 12th of December, a group of security researchers have disclosed new ways to attack a 19 years old TLS vulnerability. Successful exploitation may lead to loss of confidentiality and impersonation. Exploiting the issue is considered difficult since an attacker needs to have access to the victims network connection and generate a large amount of traffic. Nevertheless, it is recommended to disable legacy configuration to prevent any leak of confidential information.

What is going on?

Hanno Böck, Juraj Somorovsky, and Craig Young have discovered that many web servers in the wild are vulnerable to minor variations of the Bleichenbacher’s adaptive-chosen ciphertext attack from 1998. This attack consisted of querying a vulnerable server with successively modified ciphertexts. The server that answered each query with true or false, according to the validity of the ciphertext, allowed the attacker to decrypt arbitrary ciphertext without access to the private key.

The research paper named Return Of Bleichenbacher’s Oracle Threat (ROBOT), shows that 19 years later companies such as Facebook, Paypal, F5, Citrix, Radware, Cisco, Erlang, Bouncy Castle, and WolfSSL have products that are vulnerable to minor variations of the original attack. The reason for this is that the countermeasures in the TLS standard to Bleichenbacher’s attack are incredibly complicated and grew more complex over time. This results in vulnerable implementations.

The research paper can be downloaded from here

Why is this important?

Even though the attack usually takes several tens of thousands of connections to be performed, a vulnerable host allows an attacker to perform operations with the server’s private key. Depending on the key exchange mechanism, an attacker could passively record traffic and later decrypt it.

Encrypted web sessions are designed to transmit over the network sensitive data such as, credit card information, login credentials, and confidential documents. If these communication channels are attacked, the data being transmitted can be read by the attacker.

What can you do?

The security researchers behind ROBOT have released a python script that indicates if the web server is vulnerable or not. Moreover, they have reached out developers of different TLS testing tools to include the attack variations disclosed in their research. In their website they mention the followings:

  • testssl.sh has a test closely modelled after the ROBOT Attack. A snapshot is available, it’s not yet part of a release.
  • TLS-Attacker already contained Bleichenbacher checks however it was extended with additional checks to cover all ROBOT variations.
  • SSLLabs has added a check in their development version.
  • Tripwire IP360 added detection for vulnerable F5 devices in ASPL-753 which was released in coordination with F5’s public advisory.
  • tlsfuzzer has an extensive test script for Bleichenbacher vulns.

It is important to mention that even though the result of the scan might say that the server is not vulnerable, the researchers recommend to fully deprecate RSA encryption based key exchanges in TLS. The designers of TLS 1.3 have already decided to deprecate the RSA encryption key exchange. However, as long as compatibility with RSA encryption cipher suites is kept on older TLS versions these attacks remain a problem.

In this article Mozilla provides a good reference in how to securely configure TLS on web servers. The best option is to follow their “Modern compatibility” list, however if an organization requires to allow more ciphers, the ones with RSA as their key exchange (kx) mechanism should be avoided.

What have DearBytes done?

An internal investigation is being conducted to determine which of the security appliances managed by DearBytes is vulnerable.

For more information :