Security teams in Canadian organizations that use encryption products and services should be contacting their vendors to see if their servers are open to an exploit of an RSA encryption vulnerability that has been lying around and forgotten for almost two decades.
According to researchers who created a website this week to detail the vulnerability — which they dub ROBOT — sites that are possibly vulnerable include PayPal and Facebook, while organizations using certain products from Cisco Systems, F5 Networks, Citrix and others could also be vulnerable unless patched or use a workaround. Some products, such as Cisco’s discontinued ACE (Application Control Engine) may not be patched.
In fact Cisco told the researchers that ACE will not be updated. Although it is outdated, researchers scanned the Internet and found lots of hosts still using ACE. Disabling RSA in products is an option but not for ACE, researchers said, because it doesn’t support another cypher suite. Cisco and others have issued advisories or patches.
ROBOT stands for “Return of Bleichenbacher’s Oracle Threat.” In this case “Oracle” doesn’t refer to the database company but the fact that it can reveal information that can be used in an attack. In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in products using RSA encryption with PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack. This attack fully breaks the confidentiality of the TLS (transport layer security ) protocol used in web encryption. What’s new is researchers discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.
“For hosts that are vulnerable and only support RSA encryption key exchanges it’s pretty bad,” researchers said describing the seriousness of the problem. “It means an attacker can passively record traffic and later decrypt it. For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack.”
A server impersonation or man in the middle attack is possible, researchers add, “is more challenging.”
Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange, the researchers note, and need RSA only for signatures. However, they believe RSA encryption modes are so risky that the only safe course of action is to disable them if a patch isn’t an option. “By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.”
Based on some preliminary data the compatibility costs of disabling RSA encryption modes are relatively low, researchers said.
Note this attack does not recover a vulnerable server’s private key. It only allows an attacker to decrypt ciphertexts or sign messages with the server’s private key.\
“The Robot attack is yet another demonstration of why it is important to monitor for this kind of news and respond quickly,” says Brian Bourne, executive vice-president of products at New Signature, a Washington, D.C.-based solution provider. “Even if you put a lot of effort into building a best practice environment, you may still find yourself vulnerable as Facebook did yesterday. The real lesson here is to respond quickly and protect yourself (as Facebook already has). It’s those that find themselves still vulnerable weeks from now that are going to be abused as tooling to exploit this because more readily available and distributed.”
As to why this problem is still around, researchers note that after Bleichenbacher’s original attack the designers of TLS decided that the best solution was to keep the vulnerable encryption modes and add countermeasures. However, later research showed these countermeasures were incomplete, leading the TLS designers to add more complicated countermeasures that haven’t been implemented correctly.