search menu icon-carat-right cmu-wordmark

CERT Coordination Center

TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding

Vulnerability Note VU#144389

Original Release Date: 2017-12-12 | Last Revised: 2018-04-09

Overview

TLS implementations may disclose side channel information via discrepancies between valid and invalid PKCS#1 padding, and may therefore be vulnerable to Bleichenbacher-style attacks. This attack is known as a "ROBOT attack".

Description

CWE-203: Information Exposure Through Discrepancy

Transport Layer Security (TLS) is a mechanism for a security transport over network connections, and is defined in RFC 5246. TLS may utilize RSA cryptography to secure the connection, and section 7.4.7 describes how client and server may exchange keys. Implementations that don't closely follow the descriptions in RFC 5246 may leak information to an attacker when they handle PKCS #1 v1.5 padding errors in ways that lets the attacker distinguish between valid and invalid messages. An attacker may utilize discrepancies in TLS error messages to obtain the pre-master secret key private RSA key used by TLS to decrypt sensitive data. This type of attack has become known as a Bleichenbacher attack. CERT/CC previously published CERT Advisory CA-1998-07 for this type of attack.

Some modern cryptographic implementations are vulnerable to Bleichenbacher-style attacks on TLS. While RFC 5246 Section 7.4.7.1 provides advice in order to eliminate discrepancies and defend against Bleichenbacher attacks, implementation-specific error and exception handling may nevertheless re-introduce message discrepancies that act as a cryptographic oracle for a Bleichenbacher-style attack.

More information about the research and affected vendors is available from the researcher's website.

Impact

A remote, unauthenticated attacker may be able to obtain the TLS pre-master secret (TLS session key) and decrypt TLS traffic.

Solution

Disable TLS RSA

Affected users and system administrators are encouraged to disable TLS RSA cyphers if possible. Please refer to your product's documentation or contact the vendor's customer service.

Apply an update

Some products may have software updates available to address this issue. If an update is available, affected users are encouraged to update product software or firmware. Please see the Affected Vendors list below for more information.

Note for developers

RFC 5246 contains remediation advice for Bleichenbacher-style attacks. Developers are encouraged to review the advice and ensure implementations of TLS or software that utilizes a TLS library does not introduce further message or timing discrepancies that may be used in a Bleichenbacher-style attack.

Vendor Information

The Vendor Information section below lists implementations and vendors that have been identified as vulnerable TLS implementations. Separate CVE IDs for each vendor have been assigned due to the implementation-specific nature of the vulnerability.

144389
 
Affected   Unknown   Unaffected

Cisco

Notified:  November 15, 2017 Updated:  December 14, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco ACE is affected, and assigned CVE-2017-17428

Cisco ASA is affected and assigned CVE-2017-12373
Please see Cisco's security advisory for full vendor statement.

Vendor References

Citrix

Notified:  November 15, 2017 Updated:  December 12, 2017

Statement Date:   December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Citrix NetScaler ADC and Gateway - CVE-2017-17382

Vendor References

Erlang

Updated:  December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

This vulnerability was assigned CVE-2017-1000385.

Vendor References

F5 Networks, Inc.

Notified:  November 15, 2017 Updated:  November 20, 2017

Statement Date:   November 17, 2017

Status

  Affected

Vendor Statement

F5 Networks made a public announcement of this issue today as CVE-2017-6168 – please see https://support.f5.com/csp/article/K21905460

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Legion of the Bouncy Castle

Notified:  November 15, 2017 Updated:  December 12, 2017

Statement Date:   December 12, 2017

Status

  Affected

Vendor Statement

BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, contained a weak
Bleichenbacher oracle when any TLS cipher suite using RSA key exchange
was negotiated. This specifically includes servers using the BCJSSE
provider in its default configuration.

Affected software:
bctls-fips-1.0.2.jar and earlier versions
bctls-jdk15on-1.58.jar and earlier versions

Note that the older TLS implementation (in the
org.bouncycastle.crypto.tls package) is not vulnerable.

For FIPS users, the issue is fixed in
bctls-fips-1.0.3.jar

We recommend all FIPS users upgrade as soon as possible.

For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
immediately to
bctls-jdk15on-159b09.jar

and then upgrade to the full 1.59 release as soon as it is available. If
continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.

Vendor Information

CVE-2017-13098 was assigned to BouncyCastle.

Vendor References

MatrixSSL

Notified:  November 15, 2017 Updated:  December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

MatrixSSL was previously known affected in versions prior to 3.8.3, and assigned CVE-2016-6883.

Vendor References

Micro Focus

Notified:  November 15, 2017 Updated:  March 22, 2018

Statement Date:   March 22, 2018

Status

  Affected

Vendor Statement

Certain versions of Micro Focus Host Access Management and Security Server, Reflection for the Web, Reflection ZFE and Verastream Software Development Kit for Unisys and Airlines are affected by CVE-2017-13098. Updates which address the issue are available for these products. More information is available at https://support.microfocus.com/kb/doc.php?id=7022561.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

wolfSSL

Notified:  December 12, 2017 Updated:  December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Assigned CVE-2017-13099

Vendor References

Botan

Notified:  November 15, 2017 Updated:  November 20, 2017

Statement Date:   November 16, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies

Updated:  December 14, 2017

Statement Date:   December 14, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dell EMC

Notified:  November 15, 2017 Updated:  November 29, 2017

Statement Date:   November 28, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

EMC does not develop TLS stacks and so is unaffected.

Fortinet, Inc.

Updated:  December 22, 2017

Statement Date:   December 22, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GnuTLS

Notified:  November 15, 2017 Updated:  December 13, 2017

Statement Date:   December 13, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IAIK Java Group

Notified:  November 15, 2017 Updated:  December 06, 2017

Statement Date:   December 06, 2017

Status

  Not Affected

Vendor Statement

iSaSiLk TLS is not affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified:  November 15, 2017 Updated:  December 12, 2017

Statement Date:   December 12, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Microsoft is not affected in default configurations.

OpenSSL

Notified:  November 15, 2017 Updated:  November 20, 2017

Statement Date:   November 17, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

RSA Security LLC

Notified:  November 15, 2017 Updated:  December 13, 2017

Statement Date:   November 28, 2017

Status

  Not Affected

Vendor Statement

RSA BSAFE TLS stacks are not vulnerable to the reported vulnerability.

Vendor Information

Please see the statement below. The URL requires RSA Link Support credentials.

Vendor References

VMware

Updated:  March 22, 2018

Statement Date:   March 22, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The following products are NOT impacted, please see the vendor's security advisory for more information.

VMware ESXi
Site Recovery Manager
vCloud Director for Service Providers
vRealize Automation
vRealize Business for Cloud
vRealize Orchestrator
vRealize Operations

Vendor References

s2n

Notified:  November 15, 2017 Updated:  December 08, 2017

Statement Date:   December 07, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ARM mbed TLS

Notified:  November 15, 2017 Updated:  November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Apache HTTP Server Project

    Notified:  November 15, 2017 Updated:  November 15, 2017

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Apple

      Notified:  November 15, 2017 Updated:  November 15, 2017

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        BoringSSL

        Notified:  November 15, 2017 Updated:  November 15, 2017

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          CREDANT Technologies, Inc.

          Notified:  November 15, 2017 Updated:  November 15, 2017

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Certicom

            Notified:  December 12, 2017 Updated:  December 12, 2017

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Cryptlib

              Notified:  November 15, 2017 Updated:  November 15, 2017

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Crypto++ Library

                Notified:  November 15, 2017 Updated:  November 15, 2017

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  GnuPG

                  Notified:  December 12, 2017 Updated:  December 12, 2017

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Go Programming Language

                    Notified:  November 15, 2017 Updated:  November 15, 2017

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Google

                      Notified:  November 15, 2017 Updated:  November 15, 2017

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        IBM, INC.

                        Notified:  November 15, 2017 Updated:  November 15, 2017

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          LibTom

                          Notified:  November 15, 2017 Updated:  November 15, 2017

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            LibreSSL

                            Notified:  December 12, 2017 Updated:  December 12, 2017

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Nettle

                              Notified:  November 15, 2017 Updated:  November 15, 2017

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Oracle Corporation

                                Notified:  November 15, 2017 Updated:  December 18, 2017

                                Statement Date:   December 15, 2017

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor Information

                                According to the reporter, Java/JSSE were previously known vulnerable in 2012 and assigned CVE-2012-5081. We do not currently have any verification that CVE-2012-5081 was a Bleichenbacher-style vulnerability, but the vulnerability was resolved in 2012 in any case. Please ensure you are using the release of any products since 2012.

                                Vendor References

                                PGP Corporation

                                Notified:  November 15, 2017 Updated:  November 15, 2017

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Palo Alto Networks

                                  Notified:  December 12, 2017 Updated:  December 12, 2017

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    SafeNet

                                    Notified:  November 15, 2017 Updated:  November 15, 2017

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Spyrus

                                      Notified:  November 15, 2017 Updated:  November 15, 2017

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        aep NETWORKS

                                        Notified:  November 15, 2017 Updated:  November 15, 2017

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          libgcrypt

                                          Notified:  December 12, 2017 Updated:  December 12, 2017

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            mod_ssl

                                            Notified:  December 12, 2017 Updated:  December 12, 2017

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              View all 42 vendors View less vendors


                                              CVSS Metrics

                                              Group Score Vector
                                              Base 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N
                                              Temporal 5.6 E:POC/RL:OF/RC:C
                                              Environmental 4.2 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                              References

                                              Acknowledgements

                                              Thanks to Hanno Boeck Juraj Somorovsky of Ruhr-Universität Bochum / Hackmanit GmbH, and Craig Young of Tripwire VERT fo r reporting this vulnerability.

                                              This document was written by Garret Wassermann.

                                              Other Information

                                              CVE IDs: CVE-2017-6168, CVE-2017-1000385, CVE-2017-17427, CVE-2017-13098, CVE-2017-13099, CVE-2017-17428, CVE-2017-17382, CVE-2012-5081, CVE-2016-6883
                                              Date Public: 2017-12-12
                                              Date First Published: 2017-12-12
                                              Date Last Updated: 2018-04-09 17:19 UTC
                                              Document Revision: 101

                                              Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.