TLS Security Advisory - ROBOT

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS Security Advisory - ROBOT

Peter Dettman-3
Hi All,

Today, the ROBOT Attack on TLS was published (https://robotattack.org).
It is actually the return of the Bleichenbacher attack on RSA key
exchange as used in TLS.

*Vulnerability

BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, were found to be
vulnerable due to a weak Bleichenbacher oracle when any TLS cipher suite
using RSA key exchange was negotiated. This specifically includes
servers using the BCJSSE provider in its default configuration.

Affected software:
    bctls-fips-1.0.2.jar and earlier versions
    bctls-jdk15on-1.58.jar and earlier versions

The older TLS implementation (in the org.bouncycastle.crypto.tls
package) is not vulnerable. The new implementation (in the
org.bouncycastle.tls package) is vulnerable if configured to use the
JcaTlsCrypto implementation of TlsCrypto, but not if using BcTlsCrypto.
The BCJSSE provider always uses JcaTlsCrypto and so is vulnerable when
RSA cipher suites are negotiated.

(Also the C# TLS implementation is not vulnerable.)

*Fixes

For FIPS users, the issue is fixed in
    bctls-fips-1.0.3.jar

We recommend all FIPS users upgrade as soon as possible.

For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
immediately to
    bctls-jdk15on-159b09.jar

and then upgrade to the full 1.59 release as soon as it is available.

If continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.

Regards,
Pete Dettman


Reply | Threaded
Open this post in threaded view
|

AW: [dev-crypto] TLS Security Advisory - ROBOT

Steffen Heil (Mailinglisten)
Hi


JSSE was fixed back in 2012. So does this warning only apply to deployments with old java runtimes or is it an negative interference between JSSE and bouncycaste even on newer runtimes?


Regards,
   Steffen


> -----Ursprüngliche Nachricht-----
> Von: Peter Dettman [mailto:[hidden email]]
> Gesendet: Dienstag, 12. Dezember 2017 18:38
> An: BouncyCastle <[hidden email]>
> Betreff: [dev-crypto] TLS Security Advisory - ROBOT
>
> Hi All,
>
> Today, the ROBOT Attack on TLS was published (https://robotattack.org).
> It is actually the return of the Bleichenbacher attack on RSA key exchange as used in TLS.
>
> *Vulnerability
>
> BouncyCastle TLS servers, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, were found to
> be vulnerable due to a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange was negotiated. This specifically
> includes servers using the BCJSSE provider in its default configuration.
>
> Affected software:
>     bctls-fips-1.0.2.jar and earlier versions
>     bctls-jdk15on-1.58.jar and earlier versions
>
> The older TLS implementation (in the org.bouncycastle.crypto.tls
> package) is not vulnerable. The new implementation (in the org.bouncycastle.tls package) is vulnerable if configured to use the
> JcaTlsCrypto implementation of TlsCrypto, but not if using BcTlsCrypto.
> The BCJSSE provider always uses JcaTlsCrypto and so is vulnerable when RSA cipher suites are negotiated.
>
> (Also the C# TLS implementation is not vulnerable.)
>
> *Fixes
>
> For FIPS users, the issue is fixed in
>     bctls-fips-1.0.3.jar
>
> We recommend all FIPS users upgrade as soon as possible.
>
> For the regular API, version 1.59 containing the fix is expected to be available before the end of 2017. In the meantime, beta versions
> beginning with 1.59b09 contain the fix, and are available from https://downloads.bouncycastle.org/betas/ . We recommend users
> upgrade immediately to
>     bctls-jdk15on-159b09.jar
>
> and then upgrade to the full 1.59 release as soon as it is available.
>
> If continuing to deploy vulnerable versions, we strongly recommend disabling TLS cipher suites that use RSA key exchange.
>
> Regards,
> Pete Dettman
>


smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: TLS Security Advisory - ROBOT

Eckenfels. Bernd

It is not for Oracle JSSE but the different BC TLS implementations (including BCJSSE)
--
http://www.seeburger.com
________________________________________
From: Steffen Heil (Mailinglisten) [[hidden email]]
Sent: Monday, December 25, 2017 20:48
To: [hidden email]
Cc: BouncyCastle
Subject: AW: [dev-crypto] TLS Security Advisory - ROBOT

Hi


JSSE was fixed back in 2012. So does this warning only apply to deployments with old java runtimes or is it an negative interference between JSSE and bouncycaste even on newer runtimes?


Regards,
   Steffen


> -----Ursprüngliche Nachricht-----
> Von: Peter Dettman [mailto:[hidden email]]
> Gesendet: Dienstag, 12. Dezember 2017 18:38
> An: BouncyCastle <[hidden email]>
> Betreff: [dev-crypto] TLS Security Advisory - ROBOT
>
> Hi All,
>
> Today, the ROBOT Attack on TLS was published (https://robotattack.org).
> It is actually the return of the Bleichenbacher attack on RSA key exchange as used in TLS.
>
> *Vulnerability
>
> BouncyCastle TLS servers, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, were found to
> be vulnerable due to a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange was negotiated. This specifically
> includes servers using the BCJSSE provider in its default configuration.
>
> Affected software:
>     bctls-fips-1.0.2.jar and earlier versions
>     bctls-jdk15on-1.58.jar and earlier versions
>
> The older TLS implementation (in the org.bouncycastle.crypto.tls
> package) is not vulnerable. The new implementation (in the org.bouncycastle.tls package) is vulnerable if configured to use the
> JcaTlsCrypto implementation of TlsCrypto, but not if using BcTlsCrypto.
> The BCJSSE provider always uses JcaTlsCrypto and so is vulnerable when RSA cipher suites are negotiated.
>
> (Also the C# TLS implementation is not vulnerable.)
>
> *Fixes
>
> For FIPS users, the issue is fixed in
>     bctls-fips-1.0.3.jar
>
> We recommend all FIPS users upgrade as soon as possible.
>
> For the regular API, version 1.59 containing the fix is expected to be available before the end of 2017. In the meantime, beta versions
> beginning with 1.59b09 contain the fix, and are available from https://downloads.bouncycastle.org/betas/ . We recommend users
> upgrade immediately to
>     bctls-jdk15on-159b09.jar
>
> and then upgrade to the full 1.59 release as soon as it is available.
>
> If continuing to deploy vulnerable versions, we strongly recommend disabling TLS cipher suites that use RSA key exchange.
>
> Regards,
> Pete Dettman
>









SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.


Reply | Threaded
Open this post in threaded view
|

Re: AW: [dev-crypto] TLS Security Advisory - ROBOT

Matti Aarnio
In reply to this post by Steffen Heil (Mailinglisten)
Hi,

If you read the robotattack report carefully, you see that they tell that Java JSSE was fixed back in 2012, but that lots of java servers from that age or older are still in active use for various reasons (lack of system maintenance, bundled runtime, ...) and were responding on their probes.

Indeed this is an important issue in IT security maintenance work.
On anything more complicated than "Hello World" in assembly language there is bound to have a runtime library which may have lots of security issues.

Best Regards,  Matti

On 12/25/2017 09:48 PM, Steffen Heil (Mailinglisten) wrote:
> Hi
>
> JSSE was fixed back in 2012. So does this warning only apply to deployments with old java runtimes or is it an negative interference between JSSE and bouncycaste even on newer runtimes?
>
> Regards,
>    Steffen



smime.p7s (2K) Download Attachment