SA160: Return of the Bleichenbacher Oracle Threat (ROBOT)

SUMMARY

Symantec Network Protection products using affected SSL/TLS server implementations and RSA key exchange are susceptible to a variation of the Bleichenbacher adaptive chosen ciphertext attack. A remote attacker, who has captured a pre-recorded encrypted SSL session to the target, can establish a large number of crafted SSL connections to the target and obtain the session keys required to decrypt the pre-recorded SSL session.

AFFECTED PRODUCTS

IntelligenceCenter (IC)

CVE |Affected Version(s)|Remediation
All CVEs | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 4.0 and later | Not vulnerable
3.12 | Upgrade to 3.12.2.1.
3.11 | Upgrade to later release with fixes.
3.10 | Upgrade to 3.10.4.1.
3.8.4FC | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

SSLV is only vulnerable when intercepting SSL/TLS traffic that uses RSA key exchange.

ISSUES

In the original Bleichenbacher attack, a remote attacker, who has recorded or obtained a pre-recorded encrypted SSL session, can exploit the padding oracle flaw in an SSL/TLS server by establishing a large number of crafted SSL connections. With each connection, the server leaks a small amount of information about the original secret in the pre-recorded session. After approximately one million crafted connections to the server, the Bleichenbacher attacker can recover the original secret, compute the session keys and decrypt the encrypted data exchanged during the pre-recorded session.

The ROBOT attack is a new variation of the Bleichenbacker attack that uses modified attack vectors to discover padding oracles in SSL server implementations. The ROBOT attack classifies padding oracles as follows:

• A “strong oracle” leaks sufficient information per crafted SSL connection to allow recovering the pre-recorded SSL session’s keys with the same efficiency as the original Bleichenbacher attack (approximately one million crafted connections).
• A “weak oracle” does not leak sufficient information per crafted SSL connection and requires multiple millions of crafted connections to recover the session keys for a single pre-recorded SSL session. ROBOT attacks against weak oracles are considered impractical.
  CVE-2017-15533

---

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 104163 / NVD: CVE-2017-15533 Impact| Information disclosure Description | Weak padding oracle flaw in SSLV 3.x when intercepting SSL/TLS traffic.

CVE-2017-18268

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 104164 / NVD: CVE-2017-18268 Impact| Information disclosure Description | Strong padding oracle flaw in the IntelligenceCenter 3.3 management web UI

MITIGATION

The ROBOT attack is only possible on SSL sessions established using RSA key exchange. Disabling RSA key exchange cipher suites on SSL/TLS servers behind SSLV and enabling only cipher suites using DHE and ECDHE key exchange prevents this attack.

REFERENCES

The ROBOT Attack - <https://robotattack.org/&gt;
CERT Vulnerability Note VU#144389 - <https://www.kb.cert.org/vuls/id/144389&gt;

REVISION

2019-08-23 Advisory Status moved to Closed.
2019-08-20 A fix for IntelligenceCenter (IC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2018-05-16 initial public release