Vulnerability Note VU#144389
TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding
TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding, and may therefore be vulnerable to Bleichenbacher-style attacks. This attack is known as a "ROBOT attack".
CWE-203: Information Exposure Through Discrepancy
Transport Layer Security (TLS) is a mechanism for a security transport over network connections, and is defined in RFC 5246. TLS may utilize RSA cryptography to secure the connection, and section 7.4.7 describes how client and server may exchange keys. Implementations that don't closely follow the descriptions in RFC 5246 may leak information to an attacker when they handle PKCS #1 v1.5 padding errors in ways that lets the attacker distinguish between valid and invalid messages. An attacker may utilize discrepancies in TLS error messages to obtain the pre-master secret key private RSA key used by TLS to decrypt sensitive data. This type of attack has become known as a Bleichenbacher attack. CERT/CC previously published CERT Advisory CA-1998-07 for this type of attack.
Some modern cryptographic implementations are vulnerable to Bleichenbacher-style attacks on TLS. While RFC 5246 Section 188.8.131.52 provides advice in order to eliminate discrepancies and defend against Bleichenbacher attacks, implementation-specific error and exception handling may nevertheless re-introduce message discrepancies that act as a cryptographic oracle for a Bleichenbacher-style attack.
More information about the research and affected vendors is available from the researcher's website.
A remote, unauthenticated attacker may be able to obtain the TLS pre-master secret (TLS session key) and decrypt TLS traffic.
Disable TLS RSA
Vendor Information (Learn More)
The Vendor Information section below lists implementations and vendors that have been identified as vulnerable TLS implementations. Separate CVE IDs for each vendor have been assigned due to the implementation-specific nature of the vulnerability.
|Vendor||Status||Date Notified||Date Updated|
|Cisco||Affected||15 Nov 2017||14 Dec 2017|
|Citrix||Affected||15 Nov 2017||12 Dec 2017|
|Erlang||Affected||-||12 Dec 2017|
|F5 Networks, Inc.||Affected||15 Nov 2017||20 Nov 2017|
|Legion of the Bouncy Castle||Affected||15 Nov 2017||12 Dec 2017|
|MatrixSSL||Affected||15 Nov 2017||12 Dec 2017|
|Micro Focus||Affected||15 Nov 2017||22 Mar 2018|
|wolfSSL||Affected||12 Dec 2017||12 Dec 2017|
|Botan||Not Affected||15 Nov 2017||20 Nov 2017|
|Check Point Software Technologies||Not Affected||-||14 Dec 2017|
|Dell EMC||Not Affected||15 Nov 2017||29 Nov 2017|
|Fortinet, Inc.||Not Affected||-||22 Dec 2017|
|GnuTLS||Not Affected||15 Nov 2017||13 Dec 2017|
|IAIK Java Group||Not Affected||15 Nov 2017||06 Dec 2017|
|Microsoft Corporation||Not Affected||15 Nov 2017||12 Dec 2017|
CVSS Metrics (Learn More)
Thanks to Hanno Boeck, Juraj Somorovsky of Ruhr-Universitšt Bochum / Hackmanit GmbH, and Craig Young of Tripwire VERT for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2017-6168 CVE-2017-1000385 CVE-2017-17427 CVE-2017-13098 CVE-2017-13099 CVE-2017-17428 CVE-2017-17382 CVE-2012-5081 CVE-2016-6883
- Date Public: 12 Dec 2017
- Date First Published: 12 Dec 2017
- Date Last Updated: 09 Apr 2018
- Document Revision: 101
If you have feedback, comments, or additional information about this vulnerability, please send us email.