oss-sec mailing list archives
ROBOT attack (WolfSSL, Bouncy Castle, Erlang)
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 12 Dec 2017 16:18:34 +0100
Hi, I published details about the ROBOT attack today, it's a couple of minor variations of the old Bleichenbacher attack. (Return Of Bleichenbacher's Oracle Threat) https://robotattack.org/ It is mostly about proprietary appliances, but also affects three FOSS TLS stacks. The attack is based on the fact that an attacker can distinguish valid and invalid RSA PKCS #1 v1.5 paddings based on different server responses. Erlang (CVE-2017-1000385): http://erlang.org/pipermail/erlang-questions/2017-November/094257.html http://erlang.org/pipermail/erlang-questions/2017-November/094256.html http://erlang.org/pipermail/erlang-questions/2017-November/094255.html WolfSSL (CVE-2017-13099): https://github.com/wolfSSL/wolfssl/pull/1229 (only a pull req for now, no new release yet) Bouncy Castle (CVE-2017-13098): https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c 1.59 beta 9 contains the fix: https://downloads.bouncycastle.org/betas/ -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- ROBOT attack (WolfSSL, Bouncy Castle, Erlang) Hanno Böck (Dec 12)