SSL/TLS Adaptive Chosen Ciphertext Attack Vulnerability against RSA (ROBOT Attack)

Help
1

I got this as a result to my PCI scan. This is like our site is vulnerable to robot attack. (So I am not place my domain here as it is vulnerable to the attack). Can you please let me know what is wrong and what I have to do increase my security?

Description
The detected service is vulnerable to an Adaptive Chosen Ciphertext attack vulnerability against RSA (aka “ROBOT Attack”). By manipulating the padding on an encrypted string, an attacker could be able to reveal information about the encrypted message by monitoring the error messages returned by the server. The encrypted data could be retrieved if the attacker successfully exploits this flaw. This vulnerability is due to an issue in the implementation of the SSL/TLS protocol. Please refer to the correct CVE and patch (e.g. Reference section) according to the implementation of SSL/TLS running on this host.
CVE: CVE-2017-12373,CVE-2017-17428,CVE-2017-17427,CVE-2017-17382,CVE-2017-6168,CVE-2012-5081,CVE-2016-6883,CVE-2017-13099,CVE-2017-1000385,CVE-2017-13098
Solution Please refers to this link https://robotattack.org/#patches for up-to-date fixes, patches and guidance.

Reference


Evidence
Cryptographic Oracle Strength: Strong (real attack is possible)
TLS SSL version: TLSv1.2
Message Flow Type: Standard
Message Flow: TLS alert 20 (length 7) / TLS alert 51 (length 7) / TLS alert 20 (length 7) / TLS alert 20 (length 7) / TLS alert 20 (length 7)

According to the results in www.ssllabs.com following are the amber (warning?) issues:
Summary
This server supports TLS 1.1. Grade capped to B. MORE INFO »

Certificate #1: RSA 2048 bits (SHA256withRSA)
DNS CAA No (more info)

Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

Configuration
Protocols
TLS 1.1 Yes (but TLS 1.2 Green)

Cipher Suites

TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK 256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0xc4) DH 2048 bits FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS WEAK 128
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc076) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xbe) DH 2048 bits FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 2048 bits FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS WEAK 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 2048 bits FS WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CCM_8 (0xc0a1) WEAK 256
TLS_RSA_WITH_AES_256_CCM (0xc09d) WEAK 256
TLS_RSA_WITH_ARIA_256_GCM_SHA384 (0xc051) WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CCM_8 (0xc0a0) WEAK 128
TLS_RSA_WITH_AES_128_CCM (0xc09c) WEAK 128
TLS_RSA_WITH_ARIA_128_GCM_SHA256 (0xc050) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0xc0) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xba) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128

TLS 1.1 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 2048 bits FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS WEAK 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 2048 bits FS WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128

My domain is:

I ran this command:
in the vhost file

It produced this output:
SSLEngine on
SSLProtocol -All +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

My web server is (include version):
Apache/2.4.46 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.23.0

1 Like
2

I would start by disabling TLSv1.1:

Can be changed to:
SSLProtocol -All +TLSv1.2

Can be changed to:
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

Then try SSLLabs again.

If that still fails, you might want to review these sites:
Mitigating-Obsolete-TLS/webserver at master · nsacyber/Mitigating-Obsolete-TLS · GitHub
Security/Server Side TLS - MozillaWiki

4 Likes
3

In addition to @rg305's very helpful recommendations, you might want to check that your system is getting software updates and is running software that is still supported. I don't remember the details of the ROBOT vulnerability or its mitigations, but the reference to software patches suggests to me that it might also be fixed through software updates, in which case systems that remain vulnerable might be mainly those that are running out-of-date software.

3 Likes
4

Thank you for your suggestions. I have update the vhost file with this given values. It works, but there were number of issues in our vhost files & configurations. Later, I changed the SSLCipherSuite value as this:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

1 Like
5

Finally I got the all green result in SSL report.

The server configuration (vhost) were bit messy (multiple vhost files) and different certificates has mapped. So if you facing the same kind of issue, please check the all relevant vhosts, certificates and their paths first.
But when I am testing in https://www.ssllabs.com first I used Chrome, but every time it returns same results even after I did the number of changes, and clear the cache (both browser & sslabs site). Then I jumped to Firefox private browsing. Then I found there are different issues.

As @rg305 recommended I removed the +TLSv1.1 from SSLProtocol:
SSLProtocol -All +TLSv1.2

And also set CipherSuite as:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

Check the certificate paths, their expiry dates, compare with the certificate details in the browser.
Restart Apache2 .
Test again in www.ssllabs.com

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.