Researchers recently discovered that a nearly two-decade-old vulnerability in TLS stacks was still exploitable due to insufficient protective counter-measures some used by highly popular websites and thereby endangering users of multiple TLS servers and devices.
The flaw, which allows malicious actors to capture and decrypt a TLS server's RSA-encrypted traffic – potentially enabling server impersonation and man-in-the-middle attacks –was observed in 27 of the top 100 domains ranked by Alexa, including those operated by Facebook and PayPal, according to a newly released report.
The vulnerability was originally identified in 1998 in the Secure Sockets Layer (SSL) 3.0 protocol by Daniel Bleichenbacher, who discovered that PKCS (Public-Key Cryptography Standards) #1 1.5 padding errors can lead to SSL servers creating error messages with various discrepancies, which attackers can leverage to gradually decipher RSA-encrypted content. This breed of chosen ciphertext attack is otherwise known as the Bleichenbacher or million message attack.
After Bleichenbacher revealed his attack method, various counter-measures were put in place to curtain such exploits, but the researchers found that some minor tweaks made the attacks viable again, even in HTTPS-based data transport between networks. The researchers – Hanno Bock and Juraj Somorovsky from German web application security company Hackmanit GmbH, and Craig Young from Tripwire VERT – named their new variation of the exploit ROBOT, which stands for Return of Beichenbacher's Oracle Threat.
“The current vulnerabilities are the result of a general failure to properly implement or test these [previous] countermeasures in popular products,” states Young in a Tripwire VERT security update.
The trio of researchers found vulnerable implementations in TLS stacks from F5, Citrix, Radware, Cisco, Bouncy Castle, Erlang, and Wolf SSL, as well as several more vendors that still have fixes pending and thus were not publicly named. (The researchers also noted that TLS stacks from MatrixSSL and JSSE contained different, older vulnerabilities, but were included in the report because “we still see vulnerable hosts.”)
Aside from applying vendor updates, the researchers recommend users disable RSA encryption – specifically all ciphers that start with TLS_RSA. “Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures,” explain the researchers in their report. “We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky, these modes also lack forward secrecy.”