Think you have a false positive on this rule?

Sid 1-45201

Message

SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt

Summary

This event is generated when a limited number of RSA ciphersuites are used in a SSL client hello, indicating a possible Bleichenbacher padding oracle attack.

Impact

Attempted Information Leak

CVE-2012-5081:

CVSS base score 5.0

CVSS impact score 2.9

CVSS exploitability score 10.0

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

CVE-2016-6883:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-1000385:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-12373:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-13098:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-13099:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-17382:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-17427:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-17428:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-6168:

CVSS base score 7.4

CVSS impact score 5.2

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Detailed information

CVE-2012-5081: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE.

CVE-2016-6883: MatrixSSL before 3.8.3 configured with RSA Cipher Suites allows remote attackers to obtain sensitive information via a Bleichenbacher variant attack.

CVE-2017-1000385: The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).

CVE-2017-12373: A vulnerability in the TLS protocol implementation of legacy Cisco ASA 5500 Series (ASA 5505, 5510, 5520, 5540, and 5550) devices could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher's Oracle Threat (ROBOT) attack. An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions. Cisco Bug IDs: CSCvg97652.

CVE-2017-13098: BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."

CVE-2017-13099: wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT."

CVE-2017-17382: Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 might allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack.

CVE-2017-17427: Radware Alteon devices with a firmware version between 31.0.0.0-31.0.3.0 are vulnerable to an adaptive-chosen ciphertext attack ("Bleichenbacher attack"). This allows an attacker to decrypt observed traffic that has been encrypted with the RSA cipher and to perform other private key operations.

CVE-2017-17428: Cavium Nitrox SSL, Nitrox V SSL, and TurboSSL software development kits (SDKs) allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack.

CVE-2017-6168: On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself, aka a ROBOT attack.

Affected systems

oracle jdk 1.4.2_38
oracle jdk 1.5.0
oracle jdk 1.6.0
oracle jdk 1.7.0
oracle jre 1.4.2_38
oracle jre 1.5.0
oracle jre 1.6.0
oracle jre 1.7.0
sun jdk 1.4.2
sun jdk 1.4.2_1
sun jdk 1.4.2_2
sun jdk 1.4.2_3
sun jdk 1.4.2_4
sun jdk 1.4.2_5
sun jdk 1.4.2_6
sun jdk 1.4.2_7
sun jdk 1.4.2_8
sun jdk 1.4.2_9
sun jdk 1.4.2_10
sun jdk 1.4.2_11
sun jdk 1.4.2_12
sun jdk 1.4.2_13
sun jdk 1.4.2_14
sun jdk 1.4.2_15
sun jdk 1.4.2_16
sun jdk 1.4.2_17
sun jdk 1.4.2_18
sun jdk 1.4.2_19
sun jdk 1.4.2_22
sun jdk 1.4.2_23
sun jdk 1.4.2_25
sun jdk 1.4.2_26
sun jdk 1.4.2_27
sun jdk 1.4.2_28
sun jdk 1.4.2_29
sun jdk 1.4.2_30
sun jdk 1.4.2_31
sun jdk 1.4.2_32
sun jdk 1.4.2_33
sun jdk 1.4.2_34
sun jdk 1.4.2_35
sun jdk 1.4.2_36
sun jdk 1.4.2_37
sun jdk 1.5.0
sun jdk 1.6.0
sun jdk 1.6.0.200
sun jdk 1.6.0.210
sun jre 1.4.2_1
sun jre 1.4.2_2
sun jre 1.4.2_3
sun jre 1.4.2_4
sun jre 1.4.2_5
sun jre 1.4.2_6
sun jre 1.4.2_7
sun jre 1.4.2_8
sun jre 1.4.2_9
sun jre 1.4.2_10
sun jre 1.4.2_11
sun jre 1.4.2_12
sun jre 1.4.2_13
sun jre 1.4.2_14
sun jre 1.4.2_15
sun jre 1.4.2_16
sun jre 1.4.2_17
sun jre 1.4.2_18
sun jre 1.4.2_19
sun jre 1.4.2_20
sun jre 1.4.2_21
sun jre 1.4.2_22
sun jre 1.4.2_23
sun jre 1.4.2_24
sun jre 1.4.2_25
sun jre 1.4.2_26
sun jre 1.4.2_27
sun jre 1.4.2_28
sun jre 1.4.2_29
sun jre 1.4.2_30
sun jre 1.4.2_31
sun jre 1.4.2_32
sun jre 1.4.2_33
sun jre 1.4.2_34
sun jre 1.4.2_35
sun jre 1.4.2_36
sun jre 1.4.2_37
sun jre 1.5.0
sun jre 1.6.0
matrixssl matrixssl 3.8.2
erlang erlang/otp 18.3.4.7
erlang erlang/otp 19.3.6.4
erlang erlang/otp 20.1.7
debian debian_linux 8.0
debian debian_linux 9.0
cisco adaptivesecurityappliance5505firmware -
cisco adaptivesecurityappliance5510firmware -
cisco adaptivesecurityappliance5520firmware -
cisco adaptivesecurityappliance5540firmware -
cisco adaptivesecurityappliance5550firmware -
bouncycastle legion-of-the-bouncy-castle-c#-cryptography-api 0.0
bouncycastle legion-of-the-bouncy-castle-c#-cryptography-api 1.0
wolfssl wolfssl 3.6.6
wolfssl wolfssl 3.10.0
wolfssl wolfssl 3.10.0a
wolfssl wolfssl 3.10.4
citrix applicationdeliverycontroller_firmware 10.5
citrix applicationdeliverycontroller_firmware 11.0
citrix applicationdeliverycontroller_firmware 11.1
citrix applicationdeliverycontroller_firmware 12.0
citrix netscalergatewayfirmware 10.5
citrix netscalergatewayfirmware 11.0
citrix netscalergatewayfirmware 11.1
citrix netscalergatewayfirmware 12.0
cavium nitroxsslsdk 6.1.0
cavium nitroxvssl_sdk 1.2
cavium octeon_sdk 1.7.2
cavium octeonsslsdk 1.5.0
cavium turbossl_sdk 1.0
cisco webexconectim 7.24.1
cisco webex_meetings t31
cisco webex_meetings t32
cisco ace30applicationcontrolenginemodule_firmware 3.0(0)a5(2.0)
cisco ace30applicationcontrolenginemodule_firmware 3.0(0)a5(3.0)
cisco ace30applicationcontrolenginemodule_firmware 3.0(0)a5(3.5)
cisco ace4710applicationcontrolenginefirmware 3.0(0)a5(2.0)
cisco ace4710applicationcontrolenginefirmware 3.0(0)a5(3.0)
cisco ace4710applicationcontrolenginefirmware 3.0(0)a5(3.5)
cisco adaptivesecurityappliance5505firmware 9.1(7.16)
cisco adaptivesecurityappliance5510firmware 9.1(7.16)
cisco adaptivesecurityappliance5520firmware 9.1(7.16)
cisco adaptivesecurityappliance5540firmware 9.1(7.16)
cisco adaptivesecurityappliance5550firmware 9.1(7.16)
f5 big-ip_aam 13.0.0
f5 big-ip_afm 13.0.0
f5 big-ip_analytics 11.6.0
f5 big-ip_analytics 12.0.0
f5 big-ip_analytics 12.1.0
f5 big-ip_analytics 12.1.1
f5 big-ip_analytics 13.0.0
f5 big-ip_apm 13.0.0
f5 big-ip_asm 13.0.0
f5 big-iplinkcontroller 11.6.0
f5 big-iplinkcontroller 12.0.0
f5 big-iplinkcontroller 12.1.1
f5 big-iplinkcontroller 13.0.0
f5 big-ip_ltm 13.0.0
f5 big-ip_pem 13.0.0
f5 websafe 11.6.2
f5 websafe 13.0.0

Ease of attack

CVE-2012-5081:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

CVE-2016-6883:

Access Vector

Access Complexity

Authentication

CVE-2017-1000385:

Access Vector

Access Complexity

Authentication

CVE-2017-12373:

Access Vector

Access Complexity

Authentication

CVE-2017-13098:

Access Vector

Access Complexity

Authentication

CVE-2017-13099:

Access Vector

Access Complexity

Authentication

CVE-2017-17382:

Access Vector

Access Complexity

Authentication

CVE-2017-17427:

Access Vector

Access Complexity

Authentication

CVE-2017-17428:

Access Vector

Access Complexity

Authentication

CVE-2017-6168:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

Cisco's Talos Intelligence Group

Additional References

robotattack.org
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher