Many websites, firewalls and load balancers are vulnerable to an attack that can allow hackers to decrypt TLS traffic between them and users or to sign data with their certificate’s private key.
The weakness was found by independent researcher Hanno Böck, Juraj Somorovsky from Ruhr University Bochum and Craig Young from security firm Tripwire and was named ROBOT, short for Return Of Bleichenbacher’s Oracle Threat. That’s because consists of slight variations of an adaptive-chosen-ciphertext attack against RSA encryption that was first devised in 1998 by Daniel Bleichenbacher of Bell Laboratories.
The Bleichenbacher attack uses errors from a TLS server as an oracle that reveals bits of information about ciphertext (encrypted text) it receives. With enough queries and ciphertext tweaked based on the server responses, an attacker can decrypt a message without actually having the server’s private key.
The impact of the flaw for servers that only support static RSA key exchanges is devastating because it allows attackers to decrypt captured traffic between users and those servers. Pulling off such an attack would require making several tens of thousands of queries, so it would take some time but would otherwise be quite practical.
However, for servers that use forward-secrecy-enabled key exchange such as Diffie Hellman and only use RSA for signing, an attacker can only generate messages that appear to be signed with the server’s private key. This can’t be used for traffic decryption, but can potentially be used in man-in-the-middle scenario to impersonate a vulnerable server to a client, as long as the attack is performed during a handshake.
“A TLS handshake usually takes less than a second,” the researchers said in their paper. “An attacker can delay this up to a few seconds, but not much more. Therefore, the attack needs to happen really fast. Creating a signature with a Bleichenbacher attack takes longer than decrypting a ciphertext, therefore this is particularly challenging.”
However, if the server supports static RSA key exchange in addition to Diffie Hellman, then it might be possible to perform a connection downgrade where the client and server are tricked into negotiating RSA.
The researchers found 27 websites in the Alexa Top 100 that were vulnerable to a variation of the ROBOT attack, including Facebook and PayPal.
PayPal was vulnerable to traffic decryption and Facebook to signature forging. The researchers actually created a message signed with the private key of Facebook’s TLS certificate and sent it to the company, which rewarded them with a bug bounty.
Across the Alexa Top 1 Million, the researchers found 27,965 vulnerable websites or 2.8 percent. Many of the sites were actually vulnerable because they were using a load balancer, firewall or open source TLS implementation that was vulnerable to the attack.
The researchers found vulnerable implementations in products from F5, Citrix, Radware, Cisco Systems and an yet-unnamed vendor that hasn’t yet released patches. The Bouncy Castle, Erlang and WolfSSL implementations were also found to be vulnerable.
While most affected vendors released patches, Cisco said it won’t fix the issue in its ACE appliances because they’ve long reached end of support. The researchers said they’ve also identified three additional behavior profiles that were shared by hundreds of vulnerable websites, which could suggest that there are other affected vendors out there.
In addition to deploying patches, the best way to protect against ROBOT and Bleichenbacher flaws in general is to completely disable support for RSA-based encryption on servers.
“We believe RSA encryption modes are so risky that the only safe course of action is to disable them,” the researchers said in an FAQ on a website dedicated to this attack. “Apart from being risky these modes also lack forward secrecy.”
“Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low,” they said. “Cloudflare shared with us that around 1 percent of their connections use the RSA encryption modes.”
The ability to scan for this vulnerability has been added to several TLS testing tools that are listed on the researchers’ website. A proof-of-concept exploit will also be published at a later time.