SA160: Return of the Bleichenbacher Oracle Threat (ROBOT)
SUMMARY
Symantec Network Protection products using affected SSL/TLS server implementations and RSA key exchange are susceptible to a variation of the Bleichenbacher adaptive chosen ciphertext attack. A remote attacker, who has captured a pre-recorded encrypted SSL session to the target, can establish a large number of crafted SSL connections to the target and obtain the session keys required to decrypt the pre-recorded SSL session.
AFFECTED PRODUCTS
| IntelligenceCenter (IC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 3.3 | Upgrade to a version of NetDialog NetX with fixes. |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 4.0 and later | Not vulnerable |
| 3.12 | Upgrade to 3.12.2.1. | |
| 3.11 | Upgrade to later release with fixes. | |
| 3.10 | Upgrade to 3.10.4.1. | |
| 3.8.4FC | Upgrade to later release with fixes. | |
ADDITIONAL PRODUCT INFORMATION
SSLV is only vulnerable when intercepting SSL/TLS traffic that uses RSA key exchange.
ISSUES
In the original Bleichenbacher attack, a remote attacker, who has recorded or obtained a pre-recorded encrypted SSL session, can exploit the padding oracle flaw in an SSL/TLS server by establishing a large number of crafted SSL connections. With each connection, the server leaks a small amount of information about the original secret in the pre-recorded session. After approximately one million crafted connections to the server, the Bleichenbacher attacker can recover the original secret, compute the session keys and decrypt the encrypted data exchanged during the pre-recorded session.
The ROBOT attack is a new variation of the Bleichenbacker attack that uses modified attack vectors to discover padding oracles in SSL server implementations. The ROBOT attack classifies padding oracles as follows:
- A "strong oracle" leaks sufficient information per crafted SSL connection to allow recovering the pre-recorded SSL session's keys with the same efficiency as the original Bleichenbacher attack (approximately one million crafted connections).
- A "weak oracle" does not leak sufficient information per crafted SSL connection and requires multiple millions of crafted connections to recover the session keys for a single pre-recorded SSL session. ROBOT attacks against weak oracles are considered impractical.
| CVE-2017-15533 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 104163 / NVD: CVE-2017-15533 |
| Impact | Information disclosure |
| Description | Weak padding oracle flaw in SSLV 3.x when intercepting SSL/TLS traffic. |
| CVE-2017-18268 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 104164 / NVD: CVE-2017-18268 |
| Impact | Information disclosure |
| Description | Strong padding oracle flaw in the IntelligenceCenter 3.3 management web UI |
MITIGATION
The ROBOT attack is only possible on SSL sessions established using RSA key exchange. Disabling RSA key exchange cipher suites on SSL/TLS servers behind SSLV and enabling only cipher suites using DHE and ECDHE key exchange prevents this attack.
REFERENCES
The ROBOT Attack - https://robotattack.org/
CERT Vulnerability Note VU#144389 - https://www.kb.cert.org/vuls/id/144389
REVISION
2019-08-23 Advisory Status moved to Closed.
2019-08-20 A fix for IntelligenceCenter (IC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2018-05-16 initial public release