Vulnerabilities > CVE-2017-13098 - Information Exposure Through Discrepancy vulnerability in Bouncycastle Legion-Of-The-Bouncy-Castle-Java-Crytography-Api

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
high complexity
bouncycastle
CWE-203
nessus
metasploit

Summary

BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."

Vulnerable Configurations

Part Description Count
Application
Bouncycastle
58

Common Weakness Enumeration (CWE)

Metasploit

descriptionSome TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present.
idMSF:AUXILIARY/SCANNER/SSL/BLEICHENBACHER_ORACLE
last seen2020-03-09
modified2018-08-27
published2018-02-02
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py
titleScanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-DA9FE79871.NASL
    descriptionSecurity fixes for CVE-2017-13098 and CVE-2018-1000180 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-06-19
    plugin id110599
    published2018-06-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110599
    titleFedora 27 : bouncycastle (2018-da9fe79871)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-da9fe79871.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110599);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-13098", "CVE-2018-1000180");
      script_xref(name:"FEDORA", value:"2018-da9fe79871");
    
      script_name(english:"Fedora 27 : bouncycastle (2018-da9fe79871)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fixes for CVE-2017-13098 and CVE-2018-1000180
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-da9fe79871"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected bouncycastle package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:bouncycastle");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"bouncycastle-1.59-1.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bouncycastle");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-776.NASL
    descriptionThis update for bouncycastle fixes the following issues : Security issues fixed : - CVE-2018-1000613: Fix use of Externally-Controlled Input to Select Classes or Code (
    last seen2020-06-05
    modified2018-07-30
    plugin id111428
    published2018-07-30
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111428
    titleopenSUSE Security Update : bouncycastle (openSUSE-2018-776)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-628.NASL
    descriptionThis update for bouncycastle to version 1.59 fixes the following issues : These security issues were fixed : - CVE-2017-13098: BouncyCastle, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provided a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange was negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as
    last seen2020-06-05
    modified2018-06-14
    plugin id110530
    published2018-06-14
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110530
    titleopenSUSE Security Update : bouncycastle (openSUSE-2018-628)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6A131FBFEC7611E7AA65001B216D295B.NASL
    descriptionThe Legion of the Bouncy Castle reports : Release: 1.59 CVE-2017-13098 (
    last seen2020-06-01
    modified2020-06-02
    plugin id105502
    published2018-01-02
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105502
    titleFreeBSD : The Bouncy Castle Crypto APIs: CVE-2017-13098 ('ROBOT
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-CECED55C5E.NASL
    descriptionSecurity fixes for CVE-2017-13098 and CVE-2018-1000180 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120804
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120804
    titleFedora 28 : bouncycastle (2018-ceced55c5e)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-607.NASL
    descriptionThis update for bouncycastle fixes the following issues : Version update to 1.60 : - CVE-2018-1000613: Use of Externally-ControlledInput to Select Classes or Code (boo#1100694) - Release notes: http://www.bouncycastle.org/releasenotes.html Version update to 1.59 : - CVE-2017-13098: Fix against Bleichenbacher oracle when not using the lightweight APIs (boo#1072697). - Release notes: http://www.bouncycastle.org/releasenotes.html
    last seen2020-05-08
    modified2020-05-04
    plugin id136317
    published2020-05-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136317
    titleopenSUSE Security Update : bouncycastle (openSUSE-2020-607)
  • NASL familyGeneral
    NASL idSSL_ROBOT_BLEICHENBACHER.NASL
    descriptionThe remote host is affected by an information disclosure vulnerability. The SSL/TLS service supports RSA key exchanges, and incorrectly leaks whether or not the RSA key exchange sent by a client was correctly formatted. This information can allow an attacker to decrypt previous SSL/TLS sessions or impersonate the server. Note that this plugin does not attempt to recover an RSA ciphertext, however it sends a number of correct and malformed RSA ciphertexts as part of an SSL handshake and observes how the server responds. This plugin attempts to discover the vulnerability in multiple ways, by not completing the handshake and by completing it incorrectly, as well as using a variety of cipher suites. Only the first method that finds the service to be vulnerable is reported. This plugin requires report paranoia as some services will report as affected even though the issue is not exploitable.
    last seen2020-04-07
    modified2017-12-26
    plugin id105415
    published2017-12-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105415
    titleReturn Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-546.NASL
    descriptionThis update for bouncycastle fixes the following issues : Security issues fixed : - CVE-2018-1000613: Fix use of Externally-Controlled Input to Select Classes or Code (
    last seen2020-06-01
    modified2020-06-02
    plugin id123233
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123233
    titleopenSUSE Security Update : bouncycastle (openSUSE-2019-546)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4072.NASL
    descriptionHanno Boeck, Juraj Somorovsky and Craig Young discovered that the TLS implementation in Bouncy Castle is vulnerable to an adaptive chosen ciphertext attack against RSA keys.
    last seen2020-06-01
    modified2020-06-02
    plugin id105432
    published2017-12-26
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105432
    titleDebian DSA-4072-1 : bouncycastle - security update