Imperva Security Response to ROBOT Attack

On December 8, researchers disclosed ROBOT (Return Of Bleichenbacher's Oracle Threat), a new SSL security vulnerability that if exploited allows for decryption of certain SSL traffic. Read this security advisory to learn how you can protect your infrastructure from this vulnerability.

This advisory applies to the following CVEs: CVE-2017-6168, CVE-2017-1000385, CVE-2017-17427, CVE-2017-13098, CVE-2017-13099, CVE-2017-17428, CVE-2017-17382, CVE-2012-5081, CVE-2016-6883

The Bleichenbacher attack (aka the million message attack) is an Adaptive Chosen Ciphertext attack known as Padding Oracle attack on RSA, allowing attacker to decrypt messages that are RSA-encrypted (there also a less efficient RSA-Sign attack). The applicability of the attack depends on several factors:

  • Padding Oracle: the attacker need to have access to a padding oracle – a decryption server that given an encrypted message, responds with PASS if the decrypted message has a correct padding, and FAIL otherwise.
  • Vulnerable Padding algorithm: the padding algorithm needs to be vulnerable to the attack. PKCS 1.5 is vulnerable (PKCS padding of a message k is as follows: 0x00 || 0x02 || PS || 0x0000 || k when k is the message and PS is a random string that does not have 0x00 in it). Other padding schemes like PKCS 2.2 are not vulnerable to the attack.

The attacker crafts special messages, sends them to the server and expects to learn whether after running the RSA private operation (DECRYPT), the resultant string is padded properly. Specifically, the way the attack works relies on whether or not the second byte is 0x02, as should be in PKCS1.5 padding. Getting the info from the server on whether the string was properly padded or not, the attacker will build another message and so on, eventually decrypting a specific message.

NOTE: the private key itself is not exposed in the attack. However, for SSL the message that is encrypted (and can be exposed through the attack) is the SSL session key.

CERT/CC previously published CERT Advisory CA-1998-07 for this type of attack.

More information:

Impact Upon Imperva Products

Imperva Incapsula management traffic is not vulnerable.

As a best practice, the management interface and all management traffic for Imperva SecureSphere, Imperva Camouflage and Imperva Counterbreach should be isolated to private internal networks. This eliminates the potential for malicious access to the management interface, or external eavesdropping on management traffic. If SecureSphere is deployed on AWS or Azure, please see Imperva documentation for best practices for isolating management traffic in these environments.

Imperva Camouflage management traffic is not vulnerable.

Imperva CounterBreach 2.x traffic is not vulnerable.

Imperva CounterBreach v1.2 and v1.3 should upgrade to v2.x at your earliest convenience. If this is not possible, please contact the Imperva support team for individual instruction on mitigation.

Some versions of SecureSphere are vulnerable to the ROBOTS CVE’s in regard to Management Interface Traffic (MX and SOM).

  • Imperva SecureSphere v12.x management interface traffic is not vulnerable.
  • Imperva SecureSphere v11.5.x mitigated with patch v11.5.0.95 and above.
  • Imperva SecureSphere v11.0.x management interface traffic is not vulnerable.

As a best practice, Imperva always recommends that management traffic be isolated to a private or out-of-band networks.

Protecting Applications
Imperva products can be used to mitigate ROBOT attacks upon web and application servers as follows:

SecureSphere customers currently operating in TRP or KRP mode can disable the RSA ciphers to mitigate the attack immediately.

  • Please follow this KB article for instructions on how to do this within SecureSphere. This change will force all communication with the application server to be done in a different set of ciphers not vulnerable to ROBOT.

The following SecureSphere public patches/versions allow applications to be protected from the ROBOTS CVE’s (While continuing to use RSA ciphers) in both TRP and KRP deployments.

  • Imperva SecureSphere v12 mitigated with patch v12.0.0.73 and above.
  • Imperva SecureSphere v11.5 mitigated with patch v11.5.0.95 and above.
  • Imperva SecureSphere v11.0. mitigated with patch v11.0.0.102 and above.

For SecureSphere customers in bridge mode, the following applies:

  • If your website(s) are not vulnerable to the attack, no action is required.
  • If your website is vulnerable because of the SSL implementation on your server, then you can either update your website's SSL stack to a recommended/patched version from the vendor or move the SecureSphere GWs to TRP/KRP mode.
  • Moving to TRP mode on one of the patched versions above is the recommended approach for mitigation of the attack on your web servers across the estate. This has an additional benefit of allowing decryption of Diffie-Hellman ciphers which is not possible in Bridge mode.

For Incapsula or Hybrid (SecureSphere+Incapsula) deployments:

  • Incapsula Website Security automatically mitigates the ROBOT attack. Any resources protected by Incapsula Website Security are automatically protected.