Vulnerabilities > CVE-2017-13098 - Information Exposure Through Discrepancy vulnerability in Bouncycastle Legion-Of-The-Bouncy-Castle-Java-Crytography-Api
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Metasploit
| description | Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present. |
| id | MSF:AUXILIARY/SCANNER/SSL/BLEICHENBACHER_ORACLE |
| last seen | 2020-03-09 |
| modified | 2018-08-27 |
| published | 2018-02-02 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py |
| title | Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5 |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2018-DA9FE79871.NASL description Security fixes for CVE-2017-13098 and CVE-2018-1000180 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-06-19 plugin id 110599 published 2018-06-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110599 title Fedora 27 : bouncycastle (2018-da9fe79871) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-da9fe79871. # include("compat.inc"); if (description) { script_id(110599); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-13098", "CVE-2018-1000180"); script_xref(name:"FEDORA", value:"2018-da9fe79871"); script_name(english:"Fedora 27 : bouncycastle (2018-da9fe79871)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fixes for CVE-2017-13098 and CVE-2018-1000180 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-da9fe79871" ); script_set_attribute( attribute:"solution", value:"Update the affected bouncycastle package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bouncycastle"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/13"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC27", reference:"bouncycastle-1.59-1.fc27")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bouncycastle"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-776.NASL description This update for bouncycastle fixes the following issues : Security issues fixed : - CVE-2018-1000613: Fix use of Externally-Controlled Input to Select Classes or Code ( last seen 2020-06-05 modified 2018-07-30 plugin id 111428 published 2018-07-30 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111428 title openSUSE Security Update : bouncycastle (openSUSE-2018-776) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-628.NASL description This update for bouncycastle to version 1.59 fixes the following issues : These security issues were fixed : - CVE-2017-13098: BouncyCastle, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provided a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange was negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as last seen 2020-06-05 modified 2018-06-14 plugin id 110530 published 2018-06-14 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110530 title openSUSE Security Update : bouncycastle (openSUSE-2018-628) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6A131FBFEC7611E7AA65001B216D295B.NASL description The Legion of the Bouncy Castle reports : Release: 1.59 CVE-2017-13098 ( last seen 2020-06-01 modified 2020-06-02 plugin id 105502 published 2018-01-02 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105502 title FreeBSD : The Bouncy Castle Crypto APIs: CVE-2017-13098 ('ROBOT NASL family Fedora Local Security Checks NASL id FEDORA_2018-CECED55C5E.NASL description Security fixes for CVE-2017-13098 and CVE-2018-1000180 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120804 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120804 title Fedora 28 : bouncycastle (2018-ceced55c5e) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-607.NASL description This update for bouncycastle fixes the following issues : Version update to 1.60 : - CVE-2018-1000613: Use of Externally-ControlledInput to Select Classes or Code (boo#1100694) - Release notes: http://www.bouncycastle.org/releasenotes.html Version update to 1.59 : - CVE-2017-13098: Fix against Bleichenbacher oracle when not using the lightweight APIs (boo#1072697). - Release notes: http://www.bouncycastle.org/releasenotes.html last seen 2020-05-08 modified 2020-05-04 plugin id 136317 published 2020-05-04 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136317 title openSUSE Security Update : bouncycastle (openSUSE-2020-607) NASL family General NASL id SSL_ROBOT_BLEICHENBACHER.NASL description The remote host is affected by an information disclosure vulnerability. The SSL/TLS service supports RSA key exchanges, and incorrectly leaks whether or not the RSA key exchange sent by a client was correctly formatted. This information can allow an attacker to decrypt previous SSL/TLS sessions or impersonate the server. Note that this plugin does not attempt to recover an RSA ciphertext, however it sends a number of correct and malformed RSA ciphertexts as part of an SSL handshake and observes how the server responds. This plugin attempts to discover the vulnerability in multiple ways, by not completing the handshake and by completing it incorrectly, as well as using a variety of cipher suites. Only the first method that finds the service to be vulnerable is reported. This plugin requires report paranoia as some services will report as affected even though the issue is not exploitable. last seen 2020-04-07 modified 2017-12-26 plugin id 105415 published 2017-12-26 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105415 title Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-546.NASL description This update for bouncycastle fixes the following issues : Security issues fixed : - CVE-2018-1000613: Fix use of Externally-Controlled Input to Select Classes or Code ( last seen 2020-06-01 modified 2020-06-02 plugin id 123233 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123233 title openSUSE Security Update : bouncycastle (openSUSE-2019-546) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4072.NASL description Hanno Boeck, Juraj Somorovsky and Craig Young discovered that the TLS implementation in Bouncy Castle is vulnerable to an adaptive chosen ciphertext attack against RSA keys. last seen 2020-06-01 modified 2020-06-02 plugin id 105432 published 2017-12-26 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105432 title Debian DSA-4072-1 : bouncycastle - security update
References
- https://robotattack.org/
- https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
- http://www.kb.cert.org/vuls/id/144389
- http://www.securityfocus.com/bid/102195
- https://www.debian.org/security/2017/dsa-4072
- https://security.netapp.com/advisory/ntap-20171222-0001/
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
- https://www.oracle.com/security-alerts/cpuoct2020.html