oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

ROBOT attack (WolfSSL, Bouncy Castle, Erlang)

From: Hanno Böck <hanno () hboeck de>
Date: Tue, 12 Dec 2017 16:18:34 +0100
Hi,

I published details about the ROBOT attack today, it's a couple of
minor variations of the old Bleichenbacher attack.
(Return Of Bleichenbacher's Oracle Threat)

https://robotattack.org/

It is mostly about proprietary appliances, but also affects three FOSS
TLS stacks.

The attack is based on the fact that an attacker can distinguish valid
and invalid RSA PKCS #1 v1.5 paddings based on different server
responses.

Erlang (CVE-2017-1000385):
http://erlang.org/pipermail/erlang-questions/2017-November/094257.html
http://erlang.org/pipermail/erlang-questions/2017-November/094256.html
http://erlang.org/pipermail/erlang-questions/2017-November/094255.html

WolfSSL (CVE-2017-13099):
https://github.com/wolfSSL/wolfssl/pull/1229
(only a pull req for now, no new release yet)

Bouncy Castle (CVE-2017-13098):
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
1.59 beta 9 contains the fix:
https://downloads.bouncycastle.org/betas/

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Previous By Date Next
Previous By Thread Next

Current thread: