Vulnerabilities > CVE-2017-13099 - Information Exposure Through Discrepancy vulnerability in multiple products

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

high complexity

nessus

metasploit

NVD

Published: 2017-12-13

Updated: 2019-10-09

Summary

wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT."

Vulnerable Configurations

Part	Description	Count
Application	Wolfssl Wolfssl Wolfssl - Wolfssl Wolfssl 0.5 Wolfssl Wolfssl 1.8.8.0 Wolfssl Wolfssl 1.9.0 Wolfssl Wolfssl 2.0.2 Wolfssl Wolfssl 2.0.3 Wolfssl Wolfssl 2.0.6 Wolfssl Wolfssl 2.0.8 Wolfssl Wolfssl 2.1.1 Wolfssl Wolfssl 2.1.2 Wolfssl Wolfssl 2.1.4 Wolfssl Wolfssl 2.2.0 Wolfssl Wolfssl 2.2.1 Wolfssl Wolfssl 2.2.2 Wolfssl Wolfssl 2.3.0 Wolfssl Wolfssl 2.4.0 Wolfssl Wolfssl 2.4.2 Wolfssl Wolfssl 2.4.6 Wolfssl Wolfssl 2.4.7 Wolfssl Wolfssl 2.5.0 Wolfssl Wolfssl 2.5.2 Wolfssl Wolfssl 2.6.0 Wolfssl Wolfssl 2.6.2 Wolfssl Wolfssl 2.7.0 Wolfssl Wolfssl 2.7.2 Wolfssl Wolfssl 2.8.0 Wolfssl Wolfssl 2.8.2 Wolfssl Wolfssl 2.8.3 Wolfssl Wolfssl 2.8.4 Wolfssl Wolfssl 2.8.5 Wolfssl Wolfssl 2.8.6 Wolfssl Wolfssl 2.9.0 Wolfssl Wolfssl 2.9.1 Wolfssl Wolfssl 2.9.2 Wolfssl Wolfssl 2.9.4 Wolfssl Wolfssl 3.0.0 Wolfssl Wolfssl 3.0.2 Wolfssl Wolfssl 3.1.0 Wolfssl Wolfssl 3.2.0 Wolfssl Wolfssl 3.2.4 Wolfssl Wolfssl 3.2.6 Wolfssl Wolfssl 3.3.0 Wolfssl Wolfssl 3.3.2 Wolfssl Wolfssl 3.3.3 Wolfssl Wolfssl 3.4.0 Wolfssl Wolfssl 3.4.2 Wolfssl Wolfssl 3.4.6 Wolfssl Wolfssl 3.4.8 Wolfssl Wolfssl 3.6.0 Wolfssl Wolfssl 3.6.2 Wolfssl Wolfssl 3.6.6 Wolfssl Wolfssl 3.6.8 Wolfssl Wolfssl 3.6.9 Wolfssl Wolfssl 3.7.0 Wolfssl Wolfssl 3.7.1 Wolfssl Wolfssl 3.7.3 Wolfssl Wolfssl 3.8.0 Wolfssl Wolfssl 3.9.0 Wolfssl Wolfssl 3.9.1 Wolfssl Wolfssl 3.9.6 Wolfssl Wolfssl 3.9.8 Wolfssl Wolfssl 3.9.10 Wolfssl Wolfssl 3.10.0 Wolfssl Wolfssl 3.10.0A Wolfssl Wolfssl 3.10.2 Wolfssl Wolfssl 3.10.3 Wolfssl Wolfssl 3.10.4 Wolfssl Wolfssl 3.11.0 Wolfssl Wolfssl 3.11.1 Wolfssl Wolfssl 3.12.0	70
Application	Arubanetworks Arubanetworks Instant 6.4.4.6 Arubanetworks Instant 6.5.0.0 Arubanetworks Instant 6.5.3.0 Arubanetworks Instant 6.5.3.3 Arubanetworks Instant 6.5.4.0 Arubanetworks Instant 6.5.4.3 Arubanetworks Instant 6.5.4.4 Arubanetworks Instant 6.5.4.5	8
OS	Siemens Siemens Scalance W1750D Firmware - Siemens Scalance W1750D Firmware 6.5.1.5	2
Hardware	Siemens Siemens Scalance W1750D -	1

Common Weakness Enumeration (CWE)

CWE-203 - Information Exposure Through Discrepancy

Metasploit

description	Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present.
id	MSF:AUXILIARY/SCANNER/SSL/BLEICHENBACHER_ORACLE
last seen	2020-03-09
modified	2018-08-27
published	2018-02-02
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17382 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17427 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17428 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12373 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000385 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13099 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081 https://robotattack.org https://eprint.iacr.org/2017/1189 https://github.com/robotattackorg/robot-detect
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py
title	Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5

Nessus

NASL family	General
NASL id	SSL_ROBOT_BLEICHENBACHER.NASL
description	The remote host is affected by an information disclosure vulnerability. The SSL/TLS service supports RSA key exchanges, and incorrectly leaks whether or not the RSA key exchange sent by a client was correctly formatted. This information can allow an attacker to decrypt previous SSL/TLS sessions or impersonate the server. Note that this plugin does not attempt to recover an RSA ciphertext, however it sends a number of correct and malformed RSA ciphertexts as part of an SSL handshake and observes how the server responds. This plugin attempts to discover the vulnerability in multiple ways, by not completing the handshake and by completing it incorrectly, as well as using a variety of cipher suites. Only the first method that finds the service to be vulnerable is reported. This plugin requires report paranoia as some services will report as affected even though the issue is not exploitable.
last seen	2020-04-07
modified	2017-12-26
plugin id	105415
published	2017-12-26
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105415
title	Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Metasploit

Nessus

References