A 19-year-old vulnerability has been re-discovered in the RSA implementation from at least 8 different vendors—including F5, Citrix, and Cisco—that can give man-in-the-middle attackers access to encrypted messages.
Dubbed ROBOT (Return of Bleichenbacher's Oracle Attack), the attack allows an attacker to perform RSA decryption and cryptographic operations using the private key configured on the vulnerable TLS servers.
ROBOT attack is nothing but a couple of minor variations to the old Bleichenbacher attack on the RSA encryption protocol.
First discovered in 1998 and named after Swiss cryptographer Daniel Bleichenbacher, the Bleichenbacher attack is a padding oracle attack on RSA-based PKCS#1 v1.5 encryption scheme used in SSLv2.
Leveraging an adaptive chosen-ciphertext attack which occurred due to error messages by SSL servers for errors in the PKCS #1 1.5 padding, Bleichenbacher attack allows attackers to determine whether a decrypted message is correctly padded.
This information eventually helps attackers decrypt RSA ciphertexts without recovering the server's private key, completely breaking the confidentiality of TLS when used with RSA encryption.
> "An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions." Cisco explains in an advisory.
In 1998, Bleichenbacher proposed to upgrade encryption scheme, but instead, TLS designers kept the vulnerable encryption modes and added a series of complicated countermeasures to prevent the leakage of error details.
Now, a team of security researchers has discovered that these countermeasures were incomplete and just by using some slight variations, this attack can still be used against many HTTPS websites.
> "We changed it to allow various different signals to distinguish between error types like timeouts, connection resets, duplicate TLS alerts," the researchers said.
> "We also discovered that by using a shortened message flow where we send the ClientKeyExchange message without a ChangeCipherSpec and Finished message allows us to find more vulnerable hosts."
According to the researchers, some of the most popular websites on the Internet, including Facebook and Paypal, are affected by the vulnerability. The researchers found "vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa."
ROBOT attack stems from the above-mentioned implementation flaw that only affects TLS cipher modes using RSA encryption, allowing an attacker to passively record traffic and later decrypt it.
> "For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack," the researchers said.
> "We believe that a server impersonation or man in the middle attack is possible, but it is more challenging."
The ROBOT attack has been discovered by Hanno Böck, Juraj Somorovsky of Ruhr-Universitat Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT, who also created a dedicated website explaining the whole attack, its implications, mitigations and more.
The attack affects implementations from several different vendors, some of which have already released patches and most have support notes acknowledging the issue.
You will find the list of affected vendors on the ROBOT website.
The researchers have also released a python tool to scan for vulnerable hosts. You can also check your HTTPS server against ROBOT attack on their website.