TLS Security Advisory - ROBOT

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

TLS Security Advisory - ROBOT

David Hook
Hi All,

Today, the ROBOT Attack on TLS was published (https://robotattack.org).
It is actually the return of the Bleichenbacher attack on RSA key
exchange as used in TLS.

*Vulnerability

BouncyCastle TLS servers, when configured to use the JCE (Java
Cryptography Extension) for cryptographic functions, were found to be
vulnerable due to a weak Bleichenbacher oracle when any TLS cipher suite
using RSA key exchange was negotiated. This specifically includes
servers using the BCJSSE provider in its default configuration.

Affected software:
    bctls-fips-1.0.2.jar and earlier versions
    bctls-jdk15on-1.58.jar and earlier versions

The older TLS implementation (in the org.bouncycastle.crypto.tls
package) is not vulnerable. The new implementation (in the
org.bouncycastle.tls package) is vulnerable if configured to use the
JcaTlsCrypto implementation of TlsCrypto, but not if using BcTlsCrypto.
The BCJSSE provider always uses JcaTlsCrypto and so is vulnerable when
RSA cipher suites are negotiated.

(Also the C# TLS implementation is not vulnerable.)

*Fixes

For FIPS users, the issue is fixed in
    bctls-fips-1.0.3.jar

We recommend all FIPS users upgrade as soon as possible.

For the regular API, version 1.59 containing the fix is expected to be
available before the end of 2017. In the meantime, beta versions
beginning with 1.59b09 contain the fix, and are available from
https://downloads.bouncycastle.org/betas/ . We recommend users upgrade
immediately to
    bctls-jdk15on-159b09.jar

and then upgrade to the full 1.59 release as soon as it is available.

If continuing to deploy vulnerable versions, we strongly recommend
disabling TLS cipher suites that use RSA key exchange.

Regards,
Pete Dettman