A number of the most popular websites and services online, including Facebook and PayPal, are vulnerable to an exploit which has resurfaced from 1998.
The security flaw, dubbed ROBOT, was first discovered almost two decades ago by Daniel Bleichenbacher.
PKCS #1 1.5 padding error messages produced by secure sockets layer (SSL) servers allow for an adaptive-chosen ciphertext attack which "fully breaks the confidentiality of TLS when used with RSA encryption," according to researchers Hanno Böck and Juraj Somorovsky from Hackmanit GmbH, Ruhr-Universität Bochum, and Tripwire VERT's Craig Young.
The server implementation bug could be used to perform RSA decryption and key signing in order to decrypt traffic.
"We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today's Internet," the team says.
The original vulnerability was altered by adding signals able to distinguish between error types like timeouts, connection resets, and duplicate TLS alerts.
This means that for websites vulnerable to ROBOT, attackers are given the opportunity to record traffic streams for decryption later. Private keys are not recovered during the process and so certificates do not need to be revoked.
"For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack," the researchers say. "We believe that a server impersonation or man in the middle attack is possible, but it is more challenging."
When the 19-year-old vulnerability was first uncovered, the developers of TLS implemented countermeasures. However, these protections are incredibly complex to implement and it appears that due to implementation complications, they have not been implemented correctly.
"We used minor variations of the original attack and were successful," the researchers say. "This issue was hiding in plain sight."
A research paper describing the vulnerability's return has been published (.PDF) at the Cryptology ePrint Archive.
According to the team, 27 out of the top 100 Alexa domains are vulnerable, alongside at least seven vendors including F5, Citrix, and Cisco.
Facebook has since patched its servers, and available patches are listed below:
- F5: BIG-IP SSL vulnerability
- Citrix: TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
- Radware: Security Advisory: Adaptive chosen-ciphertext attack vulnerability
- Cisco ACE: Bleichenbacher Attack on TLS Affecting Cisco Products, End-of-Sale and End-of-Life
- Bouncy Castle: Fix in 1.59 beta 9, Patch / Commit
- Erlang: OTP 184.108.40.206, OTP 220.127.116.11, OTP 20.1.7
- WolfSSL: Github PR / patch
- MatrixSSL: Changes in 3.8.3
- Java / JSSE: Oracle Critical Patch Update Advisory
It is important to note that MatrixSSL and JSSE are old vulnerabilities, but as the team detected vulnerable hosts, they have been included.
However, the team says that other vendors "have fixes pending" and so will not be named at the moment.
"Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures," the team says. "We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy."
Previous and related coverage
For the second time this year, HP has been forced to issue an emergency fix for pre-installed keylogger software.
Researchers say the cyberattackers have been able to steal potentially millions of dollars in the past two years alone.
The finance minister said he wants to "wipe out Rizal Bank from Earth" due to the cyberattack.