ROBOT Attack Can Be Used to Decrypt HTTPS Traffic

A variation of the 19-year-old cryptographic Bleichenbacher attack can be exploited to obtain the private encryption key allowing threat actors to decrypt sensitive HTTPS traffic. In response to the original Bleichenbacher attack, instead of replacing the insecure RSA algorithm, designers of the TLS standard added countermeasures, detailed in Section 7.4.7.1 of RFC 5246, to increase the difficulty in conducting brute-force attacks. The countermeasures fail to sufficiently mitigate the attack and several variations of the Bleichenbacher attack have been published over the last 14 years, including the DROWN attack from May 2016. This new attack, dubbed ROBOT for “Return of Bleichenbacher’s Oracle Threat,” exploits server equipment that does not have the countermeasures properly implemented. According to the researchers, 27 out of the Alexa Top 100 websites are vulnerable to the ROBOT attack and several vendors, such as Cisco, Citrix, and Oracle, have products that are vulnerable to ROBOT attacks when the server owner encrypts the TLS session key with the RSA algorithm and uses the PKCS #1 version 1.5 padding system. The ROBOT attack could allow a remote, unauthenticated threat actor to obtain the TLS session key and decrypt HTTPS traffic. The NJCCIC recommends users and administrators of the affected products review the CERT/CC Vulnerability Note, ROBOT attack paper, and visit the ROBOT attack site for additional information and a full list of vulnerable products; use the Python script to scan for vulnerable hosts and the ROBOT vulnerability checker to test public HTTPS servers; disable TLS session key RSA encryption on affected devices; and apply updates to affected products as soon as they are available.