ROBOT Attack Detected (Strong Oracle)
Description
The target web server is vulnerable to the ROBOT attack (Return Of Bleichenbacher's Oracle Threat), a cryptographic vulnerability affecting RSA encryption in TLS implementations. This vulnerability allows remote attackers to decrypt TLS sessions and forge signatures using the server's private RSA key by exploiting weaknesses in PKCS#1 v1.5 padding validation.
This is classified as a Strong Oracle variant, meaning the attack is practical and can be executed by capturing and analyzing several million TLS handshake packets, making exploitation feasible for determined attackers.
Remediation
To remediate this vulnerability, implement the following measures in order of priority:
- Disable RSA Key Exchange Cipher Suites: Remove all TLS cipher suites that use RSA key exchange (typically identified by TLS_RSA in their name). Only retain cipher suites that use DHE (Diffie-Hellman Ephemeral) or ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) key exchange, which provide forward secrecy.
Example for Apache (httpd.conf or ssl.conf):SSLCipherSuite HIGH:!aNULL:!MD5:!RSA SSLHonorCipherOrder on
Example for Nginx (nginx.conf):ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers on;
- Update SSL/TLS Libraries: Ensure your SSL/TLS stack (OpenSSL, GnuTLS, NSS, etc.) is updated to the latest stable version. Check with your vendor for patches specifically addressing the ROBOT vulnerability.
- Verify Configuration: After making changes, test your server configuration using online tools or the official ROBOT attack testing tool available at robotattack.org to confirm the vulnerability has been mitigated.
- Consider TLS 1.3: Where possible, upgrade to TLS 1.3, which completely removes support for RSA key exchange and eliminates this entire class of vulnerabilities.
Note: Disabling RSA key exchange cipher suites may affect compatibility with very old clients (pre-2013), but this is necessary to ensure security.