A team of three researchers has dusted off an old crypto vulnerability that can still affect major firms relying on RSA encryption key exchanges. Once the vulnerability is exploited it could enable an attacker to obtain the private encryption key necessary to decrypt sensitive HTTPS traffic under certain conditions. The three researchers, Tripwire’s Craig Young, researcher and journalist Hanno Böck, and Juraj Somorovsky of Ruhr-Universität Bochum have informed vendors affected by the vulnerability. They will make the Proof of Concept code available in time once all affected vendors have patched the vulnerability now called ROBOT. ROBOT, which stands for Return Of Bleichenbacher's Oracle Threat, is the latest in a fairly long line of similar vulnerabilities worked on by researchers. Daniel Bleichenbacher discovered the original threat back in 1998. Since then researchers have published new variations of the original Bleichenbacher attack in 2003, 2012, 2014, and 2015. This includes 2016’s DROWN, Decrypting RSA with Obsolete and Weakened eNcryption, which until ROBOT was announced was the latest threat to use a variation of Bleichenbacher’s method. DROWN could enable an attacker to crack encrypted communications and steal potentially sensitive data. At the time in potentially affected a third of all HTTPS sites.
Bleichenbacher’s Original Discovery
In 1998, Daniel Bleichenbacher of Bell Laboratories discovered a bug in how TLS servers operate when server owners choose to encrypt server-client key exchanges with the RSA algorithm. The default position allowed the client to choose a random session key that it will encrypt with the server's publicly-advertised key. This occurred before the client and a server starts communicating via HTTPS. The encrypted session key is then sent to the server which then uses the private key to decrypt the message and save a copy of the session key. This saved copy can then be used later to identify each client.
As RSA algorithms are not considered entirely secure, the system adds what is termed a Padding System to the RSA algorithm. This Padding System adds an extra layer of random bits on top of the encrypted session key. Bleichenbacher discovered that if the session key was encrypted with the RSA algorithm and the padding system was PKCS #1 1.5, an attacker could simply send a random session key to the TLS server and ask if it was valid. In turn, the Server would return a simple “yes” or “no” depending on the success. This enabled a potential attacker to perform a simple brute force attack by guessing the session key. If guessed correctly decrypt all HTTPS messages exchanged between the TLS (HTTPS) server and the client (browser).
ROBOT’s Attack Method
Once Bleichenbacher’s discovery was announced researchers looked to fix the problem by not replacing the RSA algorithm but rather the designers of the TLS standard decided to add countermeasures to make the brute-force guessing process harder to carry out. This was by no means a permanent fix. It can be regarded as unsuccessful given the number of variations that have circumvented it.
The ROBOT attack relies on skirting the countermeasures put in place by TLS creators back in 1998 and later. According to the researchers, the problem lies in the fact that the TLS standard is very complex and many server equipment vendors fail to properly implement Section 126.96.36.199 of the TLS standard (RFC 5246). This section defines the original Bleichenbacher attack countermeasures. The researchers further stated, ““For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.”
ROBOT can be seen as merely the latest flaw in the plan to patch discovered vulnerabilities by still using the RSA algorithm. Each new attack method results in another countermeasure. The countermeasures then need to be implemented by the vendor. As a result of each new attack implementing a new countermeasure increases the complexity. Once the complexity increases so do the chances for another attack variant. It is important to note that although the vulnerability affects TLS connections that use RSA encryption and it can allow an attacker to access protected data, it cannot be exploited to obtain private keys. This means that an attacker does not have access to a universal decryption key, but only to a one-time key for one HTTPS session. To decrypt large quantities of HTTPS traffic, ROBOT attacks require a large computational effort.
Until patches for the vulnerable products arrive, the researchers and US Cert recommend that owners of vulnerable devices disable TLS session key RSA encryption (also known as RSA encryption mode) on their device. As most devices also support Elliptic Curve Diffie Hellman (ECDH) session key encryption, this session key encryption method is seen as preferable to RSA algorithms.
ROBOT impacts on products developed by Citrix (CVE-2017-17382), Radware (CVE-2017-17427), Cisco (CVE-2017-17428), Bouncy Castle (CVE-2017-13098), Erlang (CVE-2017-1000385), WolfSSL (CVE-2017-13099), and F5 (CVE-2017-6168). Patches have been released for many of the products listed above other than Cisco. Cisco informed the researchers that their ACE product line affected by the vulnerability was discontinued several years ago and that they won't provide an update. Unfortunately, these devices do not support any other cipher suites. This means that disabling RSA is not an option. The researchers contend that it is not possible to use these devices for TLS connections in a secure way.
As an unwanted side effect, the researchers also state that 27 of the Alexa Top 100 websites are vulnerable to the ROBOT attack. Vulnerable websites include Facebook and PayPal. To prove this claim the research paper published by researchers includes a case study of how they decrypted Facebook traffic. The 27 listed may not be the only Alexa Top 100 websites affected. To that end, a Python script that can help server admins scan for vulnerable hosts has been added to Github by researchers. Also, a ROBOT vulnerability checker on the ROBOT attack homepage has been added.