Date: Tue, 12 Dec 2017 16:18:34 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: ROBOT attack (WolfSSL, Bouncy Castle, Erlang) Hi, I published details about the ROBOT attack today, it's a couple of minor variations of the old Bleichenbacher attack. (Return Of Bleichenbacher's Oracle Threat) https://robotattack.org/ It is mostly about proprietary appliances, but also affects three FOSS TLS stacks. The attack is based on the fact that an attacker can distinguish valid and invalid RSA PKCS #1 v1.5 paddings based on different server responses. Erlang (CVE-2017-1000385): http://erlang.org/pipermail/erlang-questions/2017-November/094257.html http://erlang.org/pipermail/erlang-questions/2017-November/094256.html http://erlang.org/pipermail/erlang-questions/2017-November/094255.html WolfSSL (CVE-2017-13099): https://github.com/wolfSSL/wolfssl/pull/1229 (only a pull req for now, no new release yet) Bouncy Castle (CVE-2017-13098): https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c 1.59 beta 9 contains the fix: https://downloads.bouncycastle.org/betas/ -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ