ID CVE-2017-6168
Summary On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself, aka a ROBOT attack.
References
Vulnerable Configurations
  • cpe:2.3:a:f5:big-ip_ltm:13.0.0
    cpe:2.3:a:f5:big-ip_ltm:13.0.0
  • cpe:2.3:a:f5:big-ip_aam:13.0.0
    cpe:2.3:a:f5:big-ip_aam:13.0.0
  • cpe:2.3:a:f5:big-ip_afm:13.0.0
    cpe:2.3:a:f5:big-ip_afm:13.0.0
  • F5 BIG-IP Analytics 11.6.0
    cpe:2.3:a:f5:big-ip_analytics:11.6.0
  • F5 BIG-IP Analytics 12.0.0
    cpe:2.3:a:f5:big-ip_analytics:12.0.0
  • F5 BIG-IP Analytics 12.1.0
    cpe:2.3:a:f5:big-ip_analytics:12.1.0
  • F5 BIG-IP Analytics 12.1.1
    cpe:2.3:a:f5:big-ip_analytics:12.1.1
  • F5 Big-IP Analytics 13.0.0
    cpe:2.3:a:f5:big-ip_analytics:13.0.0
  • cpe:2.3:a:f5:big-ip_apm:13.0.0
    cpe:2.3:a:f5:big-ip_apm:13.0.0
  • cpe:2.3:a:f5:big-ip_asm:13.0.0
    cpe:2.3:a:f5:big-ip_asm:13.0.0
  • F5 BIG-IP Link Controller 11.6.0
    cpe:2.3:a:f5:big-ip_link_controller:11.6.0
  • F5 BIG-IP Link Controller 12.0.0
    cpe:2.3:a:f5:big-ip_link_controller:12.0.0
  • F5 BIG-IP Link Controller 12.1.1
    cpe:2.3:a:f5:big-ip_link_controller:12.1.1
  • F5 Big-IP Link Controller 13.0.0
    cpe:2.3:a:f5:big-ip_link_controller:13.0.0
  • cpe:2.3:a:f5:big-ip_pem:13.0.0
    cpe:2.3:a:f5:big-ip_pem:13.0.0
  • cpe:2.3:a:f5:websafe:11.6.2
    cpe:2.3:a:f5:websafe:11.6.2
  • cpe:2.3:a:f5:websafe:13.0.0
    cpe:2.3:a:f5:websafe:13.0.0
CVSS
Base: 4.3
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
metasploit via4
description Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present.
id MSF:AUXILIARY/SCANNER/SSL/BLEICHENBACHER_ORACLE
last seen 2019-03-26
modified 1976-01-01
published 1976-01-01
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.rb
title Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
nessus via4
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL21905460.NASL
    description On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself, aka a ROBOT attack. (CVE-2017-6168) Impact Exploiting this vulnerability to perform plaintext recovery of encrypted messages will, in most practical cases, allow an attacker to read the plaintext only after the session has completed. Only TLS sessions established using RSA key exchange are vulnerable to this attack. Exploiting this vulnerability to conduct a MiTM attack requires the attacker to complete the initial attack, which may require millions of server requests, during the handshake phase of the targeted sessionwithin the window of the configured handshake timeout. This attack may be conducted against any TLS session using RSA signatures, but only if cipher suites using RSA key exchange are also enabled on the virtual server. The limited window of opportunity, limitations in bandwidth, and latencymake this attack significantly more difficult to execute. This vulnerability affects BIG-IP systems with the following configuration : A virtual server associated with a Client SSL profile with RSA key exchange enabled; RSA key exchange is enabled by default.Captured TLS sessions encrypted with ephemeral cipher suites (DHE or ECDHE) are not at risk for subsequent decryption due to this vulnerability. Important : Virtual servers configured with a Client SSL profile with the Generic Alert option disabled (enabled by default) are at higher risk because they report the specific handshake failure instead of a generic message. Virtual servers configured with a Client SSL profile that has the Client Certificate option under the Client Authentication section set to require will limit the threat to attackers that are able to successfully authenticate first. Without client certificate authentication, this attack is unauthenticated andanonymous. Virtual servers that have completely disabled RSA Key Exchange cipher suites within the Client SSL profile (for example, cipher string DEFAULT:!RSA ) are NOT impacted by this vulnerability. BIG-IP Configuration utility, iControl services, big3d collection agent, and Centralized Management Infrastructure (CMI) connections are NOT impacted by this vulnerability. Captured traffic from sessions using Perfect Forward Secrecy (PFS) cipher suites (DHE or ECDHE) cannot be decrypted due to this vulnerability. This vulnerability is not an RSA private key recovery attack and does not compromise the servers private key.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 104687
    published 2017-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104687
    title F5 Networks BIG-IP : BIG-IP SSL vulnerability (K21905460) (ROBOT)
  • NASL family General
    NASL id SSL_ROBOT_BLEICHENBACHER.NASL
    description The remote host is affected by an information disclosure vulnerability. The SSL/TLS service supports RSA key exchanges, and incorrectly leaks whether or not the RSA key exchange sent by a client was correctly formatted. This information can allow an attacker to decrypt previous SSL/TLS sessions or impersonate the server. Note that this plugin does not attempt to recover an RSA ciphertext, however it sends a number of correct and malformed RSA ciphertexts as part of an SSL handshake and observes how the server responds. This plugin attempts to discover the vulnerability in multiple ways, by not completing the handshake and by completing it incorrectly, as well as using a variety of cipher suites. Only the first method that finds the service to be vulnerable is reported. This plugin requires report paranoia as some services will report as affected even though the issue is not exploitable.
    last seen 2019-02-21
    modified 2018-09-14
    plugin id 105415
    published 2017-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105415
    title Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure
refmap via4
bid 101901
cert-vn VU#144389
confirm https://support.f5.com/csp/article/K21905460
misc https://robotattack.org/
sectrack 1039839
Last major update 17-11-2017 - 14:29
Published 17-11-2017 - 14:29
Last modified 05-01-2018 - 09:09
Back to Top