Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Dec 2017 16:18:34 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: ROBOT attack (WolfSSL, Bouncy Castle, Erlang)

Hi,

I published details about the ROBOT attack today, it's a couple of
minor variations of the old Bleichenbacher attack.
(Return Of Bleichenbacher's Oracle Threat)

https://robotattack.org/

It is mostly about proprietary appliances, but also affects three FOSS
TLS stacks.

The attack is based on the fact that an attacker can distinguish valid
and invalid RSA PKCS #1 v1.5 paddings based on different server
responses.

Erlang (CVE-2017-1000385):
http://erlang.org/pipermail/erlang-questions/2017-November/094257.html
http://erlang.org/pipermail/erlang-questions/2017-November/094256.html
http://erlang.org/pipermail/erlang-questions/2017-November/094255.html

WolfSSL (CVE-2017-13099):
https://github.com/wolfSSL/wolfssl/pull/1229
(only a pull req for now, no new release yet)

Bouncy Castle (CVE-2017-13098):
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
1.59 beta 9 contains the fix:
https://downloads.bouncycastle.org/betas/

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ