19 year old attack resurfaces in 2017 as ROBOT
The research showed that approximately 3% of the top million visited websites are affected, including Facebook. This figure has more recently been increased to 27%, or simply put 270,000 websites, many of which we use ourselves regularly.
What does this mean really mean?
If you are using hosts or network devices that are susceptible to this vulnerability, an attacker could potentially passively capture your network traffic and decrypt the information later using the private key configured on the vulnerable host. Research shows that only around 15,000 messages are needed to decrypt the captured data and not the 1 million messages originally thought. In some tests this was done in under 20 minutes. In November 2017 several well-respected vendors announced (and subsequently patched) the vulnerability in their systems, vendors such as F5, Cisco, Radware and Citrix – all vendors deployed in many enterprise organisations
But should I care?
Well, ultimately that depends. If the disclosure of personal data could cause you or your company to have a seriously bad day, then absolutely. But more importantly think of all the other information that could be passing across your network, being captured and then used as additional ways to penetrate your organizations network infrastructure. Couple this with the fact that 1) most of the vendors mentioned above have risk-rated the vulnerability as High, and 2) there are proven to exploit kits already available on the internet and 3) that up to 27% of 1 million popular websites were affected including ones we use every day – then you should absolutely care.
What does my organization do about ROBOT vulnerability?
Already the affected vendors noted above have started releasing patches. Use your vulnerability scanner to look for the specific CVEs and ensure your remediation teams are preparing to patch and/or upgrade. The following CVE’s applicable to the attack can be found within the Outpost24 platform and used to detect vulnerable devices: CVE 2017-6168, CVE 2017-17382, CVE 2017-13098, CVE 2017-1000385, CVE 2017-13099, CVE 2016-6883, CVE 2012-5081, CVE 2017-17427, CVE 2017-17428, CVE 2017-12373 are still under investigation and analysis by NVD (National Vulnerability Database) and so do not currently have checks within. The Outpost24 vulnerability research team are constantly monitoring these for changes and will provide checks as soon as the information is available.
Beyond the immediate scanning and patching of affected hosts, organizations should move away from using and supporting older RSA encryption, either through the use of forwarding secrecy (which in turns makes it much harder for the attacker to be successful) or better still disable RSA encryption and move to ECC (elliptical curve cryptography) where possible. It is worth noting that this can have implications for supporting older mobile devices, such as Android.
What lessons can we learn?
Old attacks never truly disappear. The business driver to continue supporting older legacy systems coupled with a reluctance to upgrade or refresh network equipment keeps these options in play. Your adversary knows this, and will attempt to exploit these same vulnerabilities because they are easier to try than finding new zero-day vulnerabilities. Many of the successful attacks and resulting breaches such as Equifax come from these “known but unpatched” issues.
This puts pressure on organizations to ensure they have efficient prioritization and remediation processes in place. The most secure companies do more than just occasional vulnerability assessments - they have incorporated regular and systematic risk assessment across all technology assets that are important to their business. With this approach they know what to protect as an outcome of knowing where their weaknesses lie.