search menu icon-carat-right cmu-wordmark

CERT Coordination Center


TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding

Vulnerability Note VU#144389

Original Release Date: 2017-12-12 | Last Revised: 2018-04-09

Overview

TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding, and may therefore be vulnerable to Bleichenbacher-style attacks. This attack is known as a "ROBOT attack".

Description

CWE-203: Information Exposure Through Discrepancy

Transport Layer Security (TLS) is a mechanism for a security transport over network connections, and is defined in RFC 5246. TLS may utilize RSA cryptography to secure the connection, and section 7.4.7 describes how client and server may exchange keys. Implementations that don't closely follow the descriptions in RFC 5246 may leak information to an attacker when they handle PKCS #1 v1.5 padding errors in ways that lets the attacker distinguish between valid and invalid messages. An attacker may utilize discrepancies in TLS error messages to obtain the pre-master secret key private RSA key used by TLS to decrypt sensitive data. This type of attack has become known as a Bleichenbacher attack. CERT/CC previously published CERT Advisory CA-1998-07 for this type of attack.

Some modern cryptographic implementations are vulnerable to Bleichenbacher-style attacks on TLS. While RFC 5246 Section 7.4.7.1 provides advice in order to eliminate discrepancies and defend against Bleichenbacher attacks, implementation-specific error and exception handling may nevertheless re-introduce message discrepancies that act as a cryptographic oracle for a Bleichenbacher-style attack.

More information about the research and affected vendors is available from the researcher's website.

Impact

A remote, unauthenticated attacker may be able to obtain the TLS pre-master secret (TLS session key) and decrypt TLS traffic.

Solution

Disable TLS RSA

Affected users and system administrators are encouraged to disable TLS RSA cyphers if possible. Please refer to your product's documentation or contact the vendor's customer service.

Apply an update

Some products may have software updates available to address this issue. If an update is available, affected users are encouraged to update product software or firmware. Please see the Affected Vendors list below for more information.

Note for developers

RFC 5246 contains remediation advice for Bleichenbacher-style attacks. Developers are encouraged to review the advice and ensure implementations of TLS or software that utilizes a TLS library does not introduce further message or timing discrepancies that may be used in a Bleichenbacher-style attack.

Vendor Information

The Vendor Information section below lists implementations and vendors that have been identified as vulnerable TLS implementations. Separate CVE IDs for each vendor have been assigned due to the implementation-specific nature of the vulnerability.

144389
Expand all

Cisco

Notified:  November 15, 2017 Updated:  December 14, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco ACE is affected, and assigned CVE-2017-17428

Cisco ASA is affected and assigned CVE-2017-12373
Please see Cisco's security advisory for full vendor statement.

Vendor References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Citrix

Notified:  November 15, 2017 Updated:  December 12, 2017

Statement Date:   December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Citrix NetScaler ADC and Gateway - CVE-2017-17382

Vendor References

https://support.citrix.com/article/CTX230238

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Erlang

Updated:  December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

This vulnerability was assigned CVE-2017-1000385.

Vendor References

http://erlang.org/pipermail/erlang-questions/2017-November/094255.html http://erlang.org/pipermail/erlang-questions/2017-November/094256.html http://erlang.org/pipermail/erlang-questions/2017-November/094257.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks, Inc.

Notified:  November 15, 2017 Updated:  November 20, 2017

Statement Date:   November 17, 2017

Status

  Affected

Vendor Statement

F5 Networks made a public announcement of this issue today as CVE-2017-6168 – please see https://support.f5.com/csp/article/K21905460

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.f5.com/csp/article/K21905460

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Legion of the Bouncy Castle

Notified:  November 15, 2017 Updated:  December 12, 2017

Statement Date:   December 12, 2017

Status

  Affected

Vendor Statement

BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, contained a weak
Bleichenbacher oracle when any TLS cipher suite using RSA key exchange
was negotiated. This specifically includes servers using the BCJSSE
provider in its default configuration.

Affected software:
bctls-fips-1.0.2.jar and earlier versions
bctls-jdk15on-1.58.jar and earlier versions

Note that the older TLS implementation (in the
org.bouncycastle.crypto.tls package) is not vulnerable.

For FIPS users, the issue is fixed in
bctls-fips-1.0.3.jar

We recommend all FIPS users upgrade as soon as possible.

For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
immediately to
bctls-jdk15on-159b09.jar

and then upgrade to the full 1.59 release as soon as it is available. If
continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.

Vendor Information

CVE-2017-13098 was assigned to BouncyCastle.

Vendor References

https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MatrixSSL

Notified:  November 15, 2017 Updated:  December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

MatrixSSL was previously known affected in versions prior to 3.8.3, and assigned CVE-2016-6883.

Vendor References

https://github.com/matrixssl/matrixssl/blob/master/doc/CHANGES.md#changes-in-383

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Micro Focus

Notified:  November 15, 2017 Updated:  March 22, 2018

Statement Date:   March 22, 2018

Status

  Affected

Vendor Statement

Certain versions of Micro Focus Host Access Management and Security Server, Reflection for the Web, Reflection ZFE and Verastream Software Development Kit for Unisys and Airlines are affected by CVE-2017-13098. Updates which address the issue are available for these products. More information is available at https://support.microfocus.com/kb/doc.php?id=7022561.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.microfocus.com/kb/doc.php?id=7022561

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

wolfSSL

Notified:  December 12, 2017 Updated:  December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Assigned CVE-2017-13099

Vendor References

https://github.com/wolfSSL/wolfssl/pull/1229

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Botan

Notified:  November 15, 2017 Updated:  November 20, 2017

Statement Date:   November 16, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point Software Technologies

Updated:  December 14, 2017

Statement Date:   December 14, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Dell EMC

Notified:  November 15, 2017 Updated:  November 29, 2017

Statement Date:   November 28, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

EMC does not develop TLS stacks and so is unaffected.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fortinet, Inc.

Updated:  December 22, 2017

Statement Date:   December 22, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GnuTLS

Notified:  November 15, 2017 Updated:  December 13, 2017

Statement Date:   December 13, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IAIK Java Group

Notified:  November 15, 2017 Updated:  December 06, 2017

Statement Date:   December 06, 2017

Status

  Not Affected

Vendor Statement

iSaSiLk TLS is not affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  November 15, 2017 Updated:  December 12, 2017

Statement Date:   December 12, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Microsoft is not affected in default configurations.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSL

Notified:  November 15, 2017 Updated:  November 20, 2017

Statement Date:   November 17, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RSA Security LLC

Notified:  November 15, 2017 Updated:  December 13, 2017

Statement Date:   November 28, 2017

Status

  Not Affected

Vendor Statement

RSA BSAFE TLS stacks are not vulnerable to the reported vulnerability.

Vendor Information

Please see the statement below. The URL requires RSA Link Support credentials.

Vendor References

https://community.rsa.com/docs/DOC-85268

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware

Updated:  March 22, 2018

Statement Date:   March 22, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The following products are NOT impacted, please see the vendor's security advisory for more information.

VMware ESXi
Site Recovery Manager
vCloud Director for Service Providers
vRealize Automation
vRealize Business for Cloud
vRealize Orchestrator
vRealize Operations

Vendor References

https://kb.vmware.com/s/article/53106

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

s2n

Notified:  November 15, 2017 Updated:  December 08, 2017

Statement Date:   December 07, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ARM mbed TLS

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache HTTP Server Project

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BoringSSL

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CREDANT Technologies, Inc.

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Certicom

Notified:  December 12, 2017 Updated:  December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cryptlib

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Crypto++ Library

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GnuPG

Notified:  December 12, 2017 Updated:  December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Go Programming Language

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Google

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM, INC.

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

LibTom

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

LibreSSL

Notified:  December 12, 2017 Updated:  December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nettle

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  November 15, 2017 Updated:  December 18, 2017

Statement Date:   December 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

According to the reporter, Java/JSSE were previously known vulnerable in 2012 and assigned CVE-2012-5081. We do not currently have any verification that CVE-2012-5081 was a Bleichenbacher-style vulnerability, but the vulnerability was resolved in 2012 in any case. Please ensure you are using the release of any products since 2012.

Vendor References

https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PGP Corporation

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Palo Alto Networks

Notified:  December 12, 2017 Updated:  December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SafeNet

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Spyrus

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

aep NETWORKS

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

libgcrypt

Notified:  December 12, 2017 Updated:  December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

mod_ssl

Notified:  December 12, 2017 Updated:  December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N
Temporal 5.6 E:POC/RL:OF/RC:C
Environmental 4.2 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Hanno Boeck Juraj Somorovsky of Ruhr-Universität Bochum / Hackmanit GmbH, and Craig Young of Tripwire VERT fo r reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2017-6168, CVE-2017-1000385, CVE-2017-17427, CVE-2017-13098, CVE-2017-13099, CVE-2017-17428, CVE-2017-17382, CVE-2012-5081, CVE-2016-6883
Date Public: 2017-12-12
Date First Published: 2017-12-12
Date Last Updated: 2018-04-09 17:19 UTC
Document Revision: 101

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.