Lucene search

K
certCERTVU:144389
HistoryDec 12, 2017 - 12:00 a.m.

TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding

2017-12-1200:00:00
www.kb.cert.org
602

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.042 Low

EPSS

Percentile

92.1%

Overview

TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding, and may therefore be vulnerable to Bleichenbacher-style attacks. This attack is known as a “ROBOT attack”.

Description

CWE-203: Information Exposure Through Discrepancy

Transport Layer Security (TLS) is a mechanism for a security transport over network connections, and is defined in RFC 5246. TLS may utilize RSA cryptography to secure the connection, and section 7.4.7 describes how client and server may exchange keys. Implementations that don’t closely follow the descriptions in RFC 5246 may leak information to an attacker when they handle PKCS #1 v1.5 padding errors in ways that lets the attacker distinguish between valid and invalid messages. An attacker may utilize discrepancies in TLS error messages to obtain the pre-master secret key private RSA key used by TLS to decrypt sensitive data. This type of attack has become known as a Bleichenbacher attack. CERT/CC previously published CERT Advisory CA-1998-07 for this type of attack.

Some modern cryptographic implementations are vulnerable to Bleichenbacher-style attacks on TLS. While RFC 5246 Section 7.4.7.1 provides advice in order to eliminate discrepancies and defend against Bleichenbacher attacks, implementation-specific error and exception handling may nevertheless re-introduce message discrepancies that act as a cryptographic oracle for a Bleichenbacher-style attack.

More information about the research and affected vendors is available from the researcher’s website.


Impact

A remote, unauthenticated attacker may be able to obtain the TLS pre-master secret (TLS session key) and decrypt TLS traffic.


Solution

Disable TLS RSA

Affected users and system administrators are encouraged to disable TLS RSA cyphers if possible. Please refer to your product’s documentation or contact the vendor’s customer service.

Apply an update

Some products may have software updates available to address this issue. If an update is available, affected users are encouraged to update product software or firmware. Please see the Affected Vendors list below for more information.

Note for developers

RFC 5246 contains remediation advice for Bleichenbacher-style attacks. Developers are encouraged to review the advice and ensure implementations of TLS or software that utilizes a TLS library does not introduce further message or timing discrepancies that may be used in a Bleichenbacher-style attack.


Vendor Information

The Vendor Information section below lists implementations and vendors that have been identified as vulnerable TLS implementations. Separate CVE IDs for each vendor have been assigned due to the implementation-specific nature of the vulnerability.


144389

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cisco __ Affected

Notified: November 15, 2017 Updated: December 14, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Cisco ACE is affected, and assigned CVE-2017-17428

Cisco ASA is affected and assigned CVE-2017-12373
Please see Cisco’s security advisory for full vendor statement.

Vendor References

Citrix __ Affected

Notified: November 15, 2017 Updated: December 12, 2017

Statement Date: December 12, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Citrix NetScaler ADC and Gateway - CVE-2017-17382

Vendor References

Erlang __ Affected

Updated: December 12, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

This vulnerability was assigned CVE-2017-1000385.

Vendor References

F5 Networks, Inc. __ Affected

Notified: November 15, 2017 Updated: November 20, 2017

Statement Date: November 17, 2017

Status

Affected

Vendor Statement

F5 Networks made a public announcement of this issue today as CVE-2017-6168 – please see <https://support.f5.com/csp/article/K21905460&gt;

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Legion of the Bouncy Castle __ Affected

Notified: November 15, 2017 Updated: December 12, 2017

Statement Date: December 12, 2017

Status

Affected

Vendor Statement

BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, contained a weak
Bleichenbacher oracle when any TLS cipher suite using RSA key exchange
was negotiated. This specifically includes servers using the BCJSSE
provider in its default configuration.

Affected software:
bctls-fips-1.0.2.jar and earlier versions
bctls-jdk15on-1.58.jar and earlier versions

Note that the older TLS implementation (in the
org.bouncycastle.crypto.tls package) is not vulnerable.

For FIPS users, the issue is fixed in
bctls-fips-1.0.3.jar

We recommend all FIPS users upgrade as soon as possible.

For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
<https://downloads.bouncycastle.org/betas/&gt; . We recommend users upgrade
immediately to
bctls-jdk15on-159b09.jar

and then upgrade to the full 1.59 release as soon as it is available. If
continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.

Vendor Information

CVE-2017-13098 was assigned to BouncyCastle.

Vendor References

MatrixSSL __ Affected

Notified: November 15, 2017 Updated: December 12, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

MatrixSSL was previously known affected in versions prior to 3.8.3, and assigned CVE-2016-6883.

Vendor References

Micro Focus __ Affected

Notified: November 15, 2017 Updated: March 22, 2018

Statement Date: March 22, 2018

Status

Affected

Vendor Statement

Certain versions of Micro Focus Host Access Management and Security Server, Reflection for the Web, Reflection ZFE and Verastream Software Development Kit for Unisys and Airlines are affected by CVE-2017-13098. Updates which address the issue are available for these products. More information is available at https://support.microfocus.com/kb/doc.php?id=7022561.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

wolfSSL __ Affected

Notified: December 12, 2017 Updated: December 12, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Assigned CVE-2017-13099

Vendor References

Botan Not Affected

Notified: November 15, 2017 Updated: November 20, 2017

Statement Date: November 16, 2017

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies Not Affected

Updated: December 14, 2017

Statement Date: December 14, 2017

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dell EMC __ Not Affected

Notified: November 15, 2017 Updated: November 29, 2017

Statement Date: November 28, 2017

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

EMC does not develop TLS stacks and so is unaffected.

Fortinet, Inc. Not Affected

Updated: December 22, 2017

Statement Date: December 22, 2017

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GnuTLS Not Affected

Notified: November 15, 2017 Updated: December 13, 2017

Statement Date: December 13, 2017

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IAIK Java Group __ Not Affected

Notified: November 15, 2017 Updated: December 06, 2017

Statement Date: December 06, 2017

Status

Not Affected

Vendor Statement

iSaSiLk TLS is not affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation __ Not Affected

Notified: November 15, 2017 Updated: December 12, 2017

Statement Date: December 12, 2017

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Microsoft is not affected in default configurations.

OpenSSL Not Affected

Notified: November 15, 2017 Updated: November 20, 2017

Statement Date: November 17, 2017

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

RSA Security LLC __ Not Affected

Notified: November 15, 2017 Updated: December 13, 2017

Statement Date: November 28, 2017

Status

Not Affected

Vendor Statement

RSA BSAFE TLS stacks are not vulnerable to the reported vulnerability.

Vendor Information

Please see the statement below. The URL requires RSA Link Support credentials.

Vendor References

VMware __ Not Affected

Updated: March 22, 2018

Statement Date: March 22, 2018

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The following products are NOT impacted, please see the vendor's security advisory for more information.

VMware ESXi Site Recovery Manager vCloud Director for Service Providers vRealize Automation vRealize Business for Cloud vRealize Orchestrator vRealize Operations

Vendor References

s2n Not Affected

Notified: November 15, 2017 Updated: December 08, 2017

Statement Date: December 07, 2017

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ARM mbed TLS Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apache HTTP Server Project Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apple Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

BoringSSL Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CREDANT Technologies, Inc. Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Certicom Unknown

Notified: December 12, 2017 Updated: December 12, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cryptlib Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Crypto++ Library Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

GnuPG Unknown

Notified: December 12, 2017 Updated: December 12, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Go Programming Language Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM, INC. Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

LibTom Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

LibreSSL Unknown

Notified: December 12, 2017 Updated: December 12, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nettle Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation __ Unknown

Notified: November 15, 2017 Updated: December 18, 2017

Statement Date: December 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

According to the reporter, Java/JSSE were previously known vulnerable in 2012 and assigned CVE-2012-5081. We do not currently have any verification that CVE-2012-5081 was a Bleichenbacher-style vulnerability, but the vulnerability was resolved in 2012 in any case. Please ensure you are using the release of any products since 2012.

Vendor References

PGP Corporation Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Palo Alto Networks Unknown

Notified: December 12, 2017 Updated: December 12, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Spyrus Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

aep NETWORKS Unknown

Notified: November 15, 2017 Updated: November 15, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

libgcrypt Unknown

Notified: December 12, 2017 Updated: December 12, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

mod_ssl Unknown

Notified: December 12, 2017 Updated: December 12, 2017

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 42 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N
Temporal 5.6 E:POC/RL:OF/RC:C
Environmental 4.2 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Hanno Boeck, Juraj Somorovsky of Ruhr-Universität Bochum / Hackmanit GmbH, and Craig Young of Tripwire VERT for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2017-6168, CVE-2017-1000385, CVE-2017-17427, CVE-2017-13098, CVE-2017-13099, CVE-2017-17428, CVE-2017-17382, CVE-2012-5081, CVE-2016-6883
Date Public: 2017-12-12 Date First Published:

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.042 Low

EPSS

Percentile

92.1%