PKCS #1 1.5 padding error messages produced by secure sockets layer (SSL) servers allow for an adaptive-chosen ciphertext attack which "fully breaks the confidentiality of TLS when used with RSA encryption," according to researchers Hanno Böck and Juraj Somorovsky from Hackmanit GmbH, Ruhr-Universität Bochum, and Tripwire VERT's Craig Young.
The server implementation bug could be used to perform RSA decryption and key signing in order to decrypt traffic.
"We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today's Internet," the team says.
The original vulnerability was altered by adding signals able to distinguish between error types like timeouts, connection resets, and duplicate TLS alerts.
This means that for websites vulnerable to ROBOT, attackers are given the opportunity to record traffic streams for decryption later. Private keys are not recovered during the process and so certificates do not need to be revoked.
"For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack," the researchers say. "We believe that a server impersonation or man in the middle attack is possible, but it is more challenging."
When the 19-year-old vulnerability was first uncovered, the developers of TLS implemented countermeasures. However, these protections are incredibly complex to implement and it appears that due to implementation complications, they have not been implemented correctly.
"We used minor variations of the original attack and were successful," the researchers say. "This issue was hiding in plain sight."
A research paper describing the vulnerability's return has been published (.PDF) at the Cryptology ePrint Archive.
According to the team, 27 out of the top 100 Alexa domains are vulnerable, alongside at least seven vendors including F5, Citrix, and Cisco.
Facebook has since patched its servers, and available patches are listed below:
"Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures," the team says. "We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy."