Skip to main content

19 year old attack resurfaces in 2017 as ROBOT

21.Dec.2017
Simon Roe, Product Manager at Outpost24
Network Security
In December 2017 several security researchers discovered that an old vulnerability – namely the Bleichenbachers Oracle Threat had resurfaced after first being discovered 19 years ago in 1989. This recurring vulnerability, now called ROBOT, affects the TLS (Transport Layer Protocol) in a way that could lead to the disclosure of private information caused by discrepancies between valid and invalid PKCS#1 padding.

Share this article

 

 

The research showed that approximately 3% of the top million visited websites are affected, including Facebook. This figure has more recently been increased to 27%, or simply put 270,000 websites, many of which we use ourselves regularly.
 

What does this mean really mean?

If you are using hosts or network devices that are susceptible to this vulnerability, an attacker could potentially passively capture your network traffic and decrypt the information later using the private key configured on the vulnerable host. Research shows that only around 15,000 messages are needed to decrypt the captured data and not the 1 million messages originally thought.  In some tests this was done in under 20 minutes. In November 2017 several well-respected vendors announced (and subsequently patched) the vulnerability in their systems, vendors such as F5, Cisco, Radware and Citrix – all vendors deployed in many enterprise organisations
 

But should I care?

Well, ultimately that depends. If the disclosure of personal data could cause you or your company to have a seriously bad day, then absolutely. But more importantly think of all the other information that could be passing across your network, being captured and then used as additional ways to penetrate your organizations network infrastructure.Couple this with the fact that 1) most of the vendors mentioned above have risk-rated the vulnerability as High, and 2) there are proven exploit kits already available on the internet and 3) that up to 27% of 1 million popular websites were affected including ones we use every day – then you should absolutely care.
 

What does my organization do about ROBOT vulnerability?

Already the affected vendors noted above have started releasing patches. Use your vulnerability scanner to look for the specific CVEs and ensure your remediation teams are preparing to patch and/or upgrade. The following CVE’s applicable to the attack can be found within the Outpost24 platform and used to detect vulnerable devices: CVE 2017-6168, CVE 2017-17382, CVE 2017-13098, CVE 2017-1000385, CVE 2017-13099, CVE 2016-6883, CVE 2012-5081, CVE 2017-17427, CVE 2017-17428, CVE 2017-12373 are still under investigation and analysis by NVD (National Vulnerability Database) and so do not currently have checks within. The Outpost24 vulnerability research team are constantly monitoring these for changes and will provide checks as soon as the information is available.
 
Beyond the immediate scanning and patching of affected hosts, organizations should move away from using and supporting older RSA encryption, either through the use of forward secrecy (which in turns makes it much harder for the attacker to be successful) or better still disable RSA encryption and move to ECC (elliptical curve cryptography) where possible. It is worth noting that this can have implications for supporting older mobile devices, such as Android.
 

What lessons can we learn?

Old attacks never truly disappear. The business driver to continue supporting older legacy systems coupled with a reluctance to upgrade or refresh network equipment keeps these options in play. Your adversary knows this, and will attempt to exploit these same vulnerabilities because they are easier to try than finding new zero-day vulnerabilities. Many of the successful attacks and resulting breaches such as Equifax come from these “known but unpatched” issues.
 
This puts pressure on organizations to ensure they have efficient prioritization and remediation processes in place. The most secure companies do more than just occasional vulnerability assessments - they have incorporated regular and systematic risk assessment across all technology assets that are important to their business. With this approach they know what to protect as an outcome of knowing where their weaknesses lie.
 
Follow us on Twitter or LinkedIn for more.

Looking for anything in particular?

Type your search word here