New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistencies in answers to RSA errors (possiby Bleichenbacher/ROBOT attack) #285

Open
hannob opened this Issue Sep 13, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@hannob

hannob commented Sep 13, 2018

Last year we published research that several TLS implementations were still vulnerable to the classic "Bleichenbacher" attack from 1998 and named it the ROBOT attack [1].

While analyzing several implementations we also figured out inconsistencies with haskell-tls, but as we couldn't really make sense of them we haven't analyzed them in more detail.

We observe that in some situations as a response to faulty RSA encryption packages a haskell tls server will answer with an internal server error instead of a bad_record_mac error. The behavior is inconsistent, so we're not sure this can be turned into a practical attack. Yet it's still definitely a bug and potentially a vulnerability.

This only happens with ciphers with AES256 and CBC mode. (Which is also why our detection script and many other detection tools that are based on it will not see it, as they often will just test with AES128.)

It was originally pointed out to us by Hubert Kario (he's the developer of tls-fuzzer, which will show errors if you run its bleichenbacher check [2] against a haskell tls server). Another tool that's capable of detecting the error is TLS-Attacker, which is by one of ROBOT's co-authors [3].

A test run would be something like this:
java -jar Attacks.jar -loglevel DEBUG bleichenbacher -connect [host] -cipher TLS_RSA_WITH_AES_256_CBC_SHA

[1] https://robotattack.org/
[2] https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-bleichenbacher-workaround.py
[3] https://github.com/RUB-NDS/TLS-Attacker

@hannob hannob changed the title from haskell-tls inconsistencies in answers to RSA errors (possiby Bleichenbacher/ROBOT attack) to Inconsistencies in answers to RSA errors (possiby Bleichenbacher/ROBOT attack) Sep 13, 2018

@kazu-yamamoto kazu-yamamoto self-assigned this Sep 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment