Yesterday a 19-old vulnerability called ROBOT was “rediscovered”. The vulnerability is a major live weakness in the implementation of SSL/TLS cipher suites where a RSA algorithm is used for encryption key exchange. The issue was published by: Hanno Böck, Juraj Somorovsky of Ruhr-Universitat Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT, who created a dedicated website describing the problem and its implications.
The ROBOT vulnerability was originally discovered by Daniel Bleichenbacher in 1998 as an error in implementation of PKCS #1 1.5 padding as an “adaptive-chosen ciphertext attack” that in practical terms allowed to decrypt SSL communication if RSA algorithm is used for encryption.
Although Daniel Bleichenbacher published the details of his research and proof of concept 19 years ago the designers of TLS decided to implement insufficient and incomplete workaround rather than re-designing the protocol as to eliminate the issue permanently.
Steps to take
HTTPS admins are advised to update their www servers immediately, and if a fix is not available, to disable the ciphers suites that use RSA for encryption of key exchange. The below table lists current available patches that are available from different vendors. It is worth remembering that the vulnerability does not allow the retrieval of the private key from the server but only to decrypt the messages and as a result ciphers where RSA is used for signatures only are safe to use still. So all ciphers with DHE (Diffie Hellman) or ECDHE (Elliptic Curve Diffie Hellman) for Key Exchange are still secure
It is advised to install the latest patches from vendors, and/or disable all ciphers that start with “TLS_RSA”. According to Cloudflare less than 1% of all traffic is encrypted with affected ciphers (TLS_RSA), so there should be minimal impact on your customers that connect over HTTPS protocol.
If your organisation is impacted by this vulnerability or you want to raise awareness among your employees then please contact Sysnet, we have the experience and the expertise.