A security flaw that was first discovered in 1998 by Daniel Bleichenbacher has resurfaced, putting at risk some of the most popular websites and services, including Facebook and PayPal. Called ROBOT, the 19-year-old vulnerability can be exploited to perform RSA decryption and signing operations with the private key of a TLS server, and can still be used against many HTTPS hosts in today's Internet landscape.
"For hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it," security researchers Hanno Böck, Juraj Somorovsky (Hackmanit GmbH, Ruhr-Universität Bochum), and Craig Young (Tripwire VERT) stated in a blog post.
"For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging," the researchers added.
Nearly two decades ago, Bleichenbacher discovered that error messages given by secure sockets layer (SSL) servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack, in essence fully breaking the confidentiality of TLS when used with RSA encryption. At the time, countermeasures were put in place to thwart the vulnerability.
While it would seem that a decades old bug wouldn't be capable of causing trouble today, in this case it's been modified to allow various different signals to distinguish between error types like timeouts, connection resets, and duplicate TLS alerts. In addition, the original countermeasures were fairly complex, and as a result many of them were not implemented correctly.
In addition to Facebook and PayPal, the security researchers found vulnerable subdomains on 27 of the top 100 websites as ranked by Alexa, along with more than half a dozen vendors including Cisco, Citrix, and F5. There are fixes available from several of them, and more on the way.