A 19-year-old vulnerability in the TLS network security protocol has been found in the software of at least eight IT vendors and open-source projects – and the bug could allow an attacker to decrypt encrypted communications.
Identified by security researchers Hanno Böck, Juraj Somorovsky of Ruhr-Universität Bochum/Hackmanit, and Craig Young of Tripwire VERT, the flaw – specifically in RSA PKCS #1 v1.5 encryption – affects the servers of 27 of the top 100 web domains, including Facebook and PayPal.
The vulnerability, however, is overrepresented among the top 100 websites. According to Young, only 2.8 per cent of the top million websites, as measured by Alexa, are affected.
"This drastic difference is because the problems were mainly found in expensive commercial products that are often used to enforce security controls on popular websites," Young said in an email to The Register.
The flaw dates back to 1998, when Daniel Bleichenbacher, a Swiss cryptographer who currently works for Google, identified a problem with the implementation of RSA PKCS #1 v1.5. The shortcoming could be exploited by miscreants to pose repeated queries to a server running vulnerable code in order to receive answers usable for decoding ostensibly secure communications.
In keeping with the current trend of naming noteworthy vulnerabilities so the technically disinterested can participate in the conversation, the researchers have dubbed the bad code ROBOT, which stands for Return Of Bleichenbacher’s Oracle Threat.
"Oracle" in this case does not refer to the litigious database giant; it's a term used to describe vulnerable servers that act as oracles by providing answers to queries.
The bug has endured since 1998, Young explained, because recommendations for software developers on how to prevent the attack fell short and became more and more complicated with subsequent iterations. In other words, various encryption systems in use today are still affected by the weaknesses uncovered by Bleichenbacher nearly two decades ago, because mitigations drawn up at the time were not enough, and thus network traffic encrypted using the weak technology can be decrypted by force.
"The end result as we can see is that many software designers did not properly implement these protections," said Young. "The real underlying problem here is that the protocol designers decided (in 1999) to make workarounds for using an insecure technology rather than replace it with a secure one as recommended by Bleichenbacher in 1998."
As a proof-of-concept exploit, the researchers managed to sign a message with the private key of the facebook.com HTTPS certificate.
Facebook has since patched its servers. As described in a paper on the flaw that was published Tuesday, Facebook was using a patched version of OpenSSL for its vulnerable hosts and said the bug hailed from one of the company's custom patches.
Makers of stuff affected by ROBOT, meaning information encrypted by their gear is at risk of forced decryption by eavesdroppers, include:
Other vendors with vulnerable products will be identified once they publish fixes, according to Tripwire.
Young told The Register that for the most interesting attack scenarios, the attacker must have access to the victim's network traffic.
"This is a capability government spy agencies have but vulnerabilities in W-iFi (including the recent KRACK attack) can allow nearby attackers to perform these attacks," said Young.
Given that prerequisite, Young said the next step depends upon the configuration of the website in question.
"If the site only supports older standards, the attacker can record traffic to decrypt later and depending on how fast the attacker is able to carry out the attack, [that person] could also impersonate these sites to manipulate what shows in the victim’s web browser," said Young. "If the site supports newer standards, the attacker needs to force a downgrade attack. This requires carrying out the attack at very high-speed."
Young says an attack of this sort has a realistic chance of success, though subject to certain requirements. A full interception or impersonation hack requires very rapid network access, which is more easily done on large sites, where the infrastructure tends to be well-provisioned, than on small sites constrained by thin pipes.
If the snooper manages to conduct an operation of this sort during the TLS handshake timeout, that person could carry out a DROWN-style man-in-the-middle attack by downgrading the connections to use RSA encryption key change modes, according to Tripwire.
"The impact of these attacks is that passwords, credit cards, and other sensitive details become visible to the attacker and in some cases the attacker can actively manipulate what the victims see on a site," said Young.
Beyond applying patches as appropriate, the researches advise disabling RSA encryption (ciphers that start with TLS_RSA), seen in about one per cent of connections handled by Cloudflare.
"We believe RSA encryption modes are so risky that the only safe course of action is to disable them," they said. ®