Page tree
Skip to end of metadata
Go to start of metadata

What happened?

The Bleichenbacher attack is back, now named "Return Of Bleichenbacher's Oracle Threat" (ROBOT). This 19-year-old vulnerability can allow an attacker to decrypt HTTPS traffic by exploiting some RSA encryption implementations.

ROBOT is a variation of the old Bleichenbacher attack from 1998 which is a padding oracle attack on RSA PKCS#1 v1.5 encryption for key exchange.

Hosts that are supporting RSA encryption with one of the vulnerable TLS/SSL implementations can be impacted.


Détails de la vulnérabilité

The Bleichenbacher attack is applicable to the TLS-RSA key exchange. This key exchange is used in all cipher suites having names starting with TLS_RSA (e.g. TLS_RSA_WITH_AES_128_CBC_SHA256).

An attacker can make use of specially crafted TLS client handshakes (different RSA PKCS#1 v1.5 paddings, valid or not) with the TLS server acting as an oracle (based on the response status) to decrypt arbitrary ciphertext without access to the private key (i.e. adaptive chosen-ciphertext attack).

The novelty of the ROBOT attack, compared to the original Bleichenbacher’s one, is that TLS implementations known to be vulnerable may return different TLS alerts and/or connection closures depending on the crafted padding, and this side-channel information can be used to improve the efficiency of the attack (less requests needed).

DenyAll Statement

The DenyAll products are *not* vulnerable to this attack.

The OpenSSL's implementation of TLS used in DenyAll products always completes invalid handshakes before returning the (same) appropriate TLS-alert, and so according to the TLS 1.0 (and later) specification's recommendation against this old and well known attack. In this regard, the new attack doesn't exploit a new TLS vulnerabilty, servers immune to the old Bleichenbacher attack remain immune to this new attack, while vulnerable servers may now face a faster attack.

  • No labels