Think you have a false positive on this rule?

Sid 1-45830

Message

SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt

Summary

This event is generated when a limited number of RSA ciphersuites are used in a SSL client hello, indicating a possible Bleichenbacher padding oracle attack.

Impact

Attempted Information Leak

CVE-2012-5081:

CVSS base score 5.0

CVSS impact score 2.9

CVSS exploitability score 10.0

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

CVE-2016-6883:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-1000385:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-12373:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-13098:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-13099:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-17382:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-17427:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-17428:

CVSS base score 5.9

CVSS impact score 3.6

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

CVE-2017-6168:

CVSS base score 7.4

CVSS impact score 5.2

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Detailed information

CVE-2012-5081: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE.

CVE-2016-6883: MatrixSSL before 3.8.3 configured with RSA Cipher Suites allows remote attackers to obtain sensitive information via a Bleichenbacher variant attack.

CVE-2017-1000385: The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).

CVE-2017-12373: A vulnerability in the TLS protocol implementation of legacy Cisco ASA 5500 Series (ASA 5505, 5510, 5520, 5540, and 5550) devices could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher's Oracle Threat (ROBOT) attack. An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions. Cisco Bug IDs: CSCvg97652.

CVE-2017-13098: BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."

CVE-2017-13099: wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT."

CVE-2017-17382: Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 might allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack.

CVE-2017-17427: Radware Alteon devices with a firmware version between 31.0.0.0-31.0.3.0 are vulnerable to an adaptive-chosen ciphertext attack ("Bleichenbacher attack"). This allows an attacker to decrypt observed traffic that has been encrypted with the RSA cipher and to perform other private key operations.

CVE-2017-17428: Cavium Nitrox SSL, Nitrox V SSL, and TurboSSL software development kits (SDKs) allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack.

CVE-2017-6168: On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself, aka a ROBOT attack.

Affected systems

  • oracle jdk 1.4.2_38
  • oracle jdk 1.5.0
  • oracle jdk 1.6.0
  • oracle jdk 1.7.0
  • oracle jre 1.4.2_38
  • oracle jre 1.5.0
  • oracle jre 1.6.0
  • oracle jre 1.7.0
  • sun jdk 1.4.2
  • sun jdk 1.4.2_1
  • sun jdk 1.4.2_2
  • sun jdk 1.4.2_3
  • sun jdk 1.4.2_4
  • sun jdk 1.4.2_5
  • sun jdk 1.4.2_6
  • sun jdk 1.4.2_7
  • sun jdk 1.4.2_8
  • sun jdk 1.4.2_9
  • sun jdk 1.4.2_10
  • sun jdk 1.4.2_11
  • sun jdk 1.4.2_12
  • sun jdk 1.4.2_13
  • sun jdk 1.4.2_14
  • sun jdk 1.4.2_15
  • sun jdk 1.4.2_16
  • sun jdk 1.4.2_17
  • sun jdk 1.4.2_18
  • sun jdk 1.4.2_19
  • sun jdk 1.4.2_22
  • sun jdk 1.4.2_23
  • sun jdk 1.4.2_25
  • sun jdk 1.4.2_26
  • sun jdk 1.4.2_27
  • sun jdk 1.4.2_28
  • sun jdk 1.4.2_29
  • sun jdk 1.4.2_30
  • sun jdk 1.4.2_31
  • sun jdk 1.4.2_32
  • sun jdk 1.4.2_33
  • sun jdk 1.4.2_34
  • sun jdk 1.4.2_35
  • sun jdk 1.4.2_36
  • sun jdk 1.4.2_37
  • sun jdk 1.5.0
  • sun jdk 1.6.0
  • sun jdk 1.6.0.200
  • sun jdk 1.6.0.210
  • sun jre 1.4.2_1
  • sun jre 1.4.2_2
  • sun jre 1.4.2_3
  • sun jre 1.4.2_4
  • sun jre 1.4.2_5
  • sun jre 1.4.2_6
  • sun jre 1.4.2_7
  • sun jre 1.4.2_8
  • sun jre 1.4.2_9
  • sun jre 1.4.2_10
  • sun jre 1.4.2_11
  • sun jre 1.4.2_12
  • sun jre 1.4.2_13
  • sun jre 1.4.2_14
  • sun jre 1.4.2_15
  • sun jre 1.4.2_16
  • sun jre 1.4.2_17
  • sun jre 1.4.2_18
  • sun jre 1.4.2_19
  • sun jre 1.4.2_20
  • sun jre 1.4.2_21
  • sun jre 1.4.2_22
  • sun jre 1.4.2_23
  • sun jre 1.4.2_24
  • sun jre 1.4.2_25
  • sun jre 1.4.2_26
  • sun jre 1.4.2_27
  • sun jre 1.4.2_28
  • sun jre 1.4.2_29
  • sun jre 1.4.2_30
  • sun jre 1.4.2_31
  • sun jre 1.4.2_32
  • sun jre 1.4.2_33
  • sun jre 1.4.2_34
  • sun jre 1.4.2_35
  • sun jre 1.4.2_36
  • sun jre 1.4.2_37
  • sun jre 1.5.0
  • sun jre 1.6.0
  • matrixssl matrixssl 3.8.2
  • erlang erlang/otp 18.3.4.7
  • erlang erlang/otp 19.3.6.4
  • erlang erlang/otp 20.1.7
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • cisco adaptivesecurityappliance5505firmware -
  • cisco adaptivesecurityappliance5510firmware -
  • cisco adaptivesecurityappliance5520firmware -
  • cisco adaptivesecurityappliance5540firmware -
  • cisco adaptivesecurityappliance5550firmware -
  • bouncycastle legion-of-the-bouncy-castle-c#-cryptography-api 0.0
  • bouncycastle legion-of-the-bouncy-castle-c#-cryptography-api 1.0
  • wolfssl wolfssl 3.6.6
  • wolfssl wolfssl 3.10.0
  • wolfssl wolfssl 3.10.0a
  • wolfssl wolfssl 3.10.4
  • citrix applicationdeliverycontroller_firmware 10.5
  • citrix applicationdeliverycontroller_firmware 11.0
  • citrix applicationdeliverycontroller_firmware 11.1
  • citrix applicationdeliverycontroller_firmware 12.0
  • citrix netscalergatewayfirmware 10.5
  • citrix netscalergatewayfirmware 11.0
  • citrix netscalergatewayfirmware 11.1
  • citrix netscalergatewayfirmware 12.0
  • cavium nitroxsslsdk 6.1.0
  • cavium nitroxvssl_sdk 1.2
  • cavium octeon_sdk 1.7.2
  • cavium octeonsslsdk 1.5.0
  • cavium turbossl_sdk 1.0
  • cisco webexconectim 7.24.1
  • cisco webex_meetings t31
  • cisco webex_meetings t32
  • cisco ace30applicationcontrolenginemodule_firmware 3.0(0)a5(2.0)
  • cisco ace30applicationcontrolenginemodule_firmware 3.0(0)a5(3.0)
  • cisco ace30applicationcontrolenginemodule_firmware 3.0(0)a5(3.5)
  • cisco ace4710applicationcontrolenginefirmware 3.0(0)a5(2.0)
  • cisco ace4710applicationcontrolenginefirmware 3.0(0)a5(3.0)
  • cisco ace4710applicationcontrolenginefirmware 3.0(0)a5(3.5)
  • cisco adaptivesecurityappliance5505firmware 9.1(7.16)
  • cisco adaptivesecurityappliance5510firmware 9.1(7.16)
  • cisco adaptivesecurityappliance5520firmware 9.1(7.16)
  • cisco adaptivesecurityappliance5540firmware 9.1(7.16)
  • cisco adaptivesecurityappliance5550firmware 9.1(7.16)
  • f5 big-ip_aam 13.0.0
  • f5 big-ip_afm 13.0.0
  • f5 big-ip_analytics 11.6.0
  • f5 big-ip_analytics 12.0.0
  • f5 big-ip_analytics 12.1.0
  • f5 big-ip_analytics 12.1.1
  • f5 big-ip_analytics 13.0.0
  • f5 big-ip_apm 13.0.0
  • f5 big-ip_asm 13.0.0
  • f5 big-iplinkcontroller 11.6.0
  • f5 big-iplinkcontroller 12.0.0
  • f5 big-iplinkcontroller 12.1.1
  • f5 big-iplinkcontroller 13.0.0
  • f5 big-ip_ltm 13.0.0
  • f5 big-ip_pem 13.0.0
  • f5 websafe 11.6.2
  • f5 websafe 13.0.0

Ease of attack

CVE-2012-5081:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

CVE-2016-6883:

Access Vector

Access Complexity

Authentication

CVE-2017-1000385:

Access Vector

Access Complexity

Authentication

CVE-2017-12373:

Access Vector

Access Complexity

Authentication

CVE-2017-13098:

Access Vector

Access Complexity

Authentication

CVE-2017-13099:

Access Vector

Access Complexity

Authentication

CVE-2017-17382:

Access Vector

Access Complexity

Authentication

CVE-2017-17427:

Access Vector

Access Complexity

Authentication

CVE-2017-17428:

Access Vector

Access Complexity

Authentication

CVE-2017-6168:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • robotattack.org
  • tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher