SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration
SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration

All Entries

Category Cryptographic Vulnerability / Padding Oracle
Typical Severity High
OWASP A02:2021 – Cryptographic Failures
CWE CWE-203 (Observable Discrepancy), CWE-326 (Inadequate Encryption Strength)
CVEs CVE-2017-13099, CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428 (vendor-specific)
Also known as ROBOT, Return Of Bleichenbacher's Oracle Threat, Bleichenbacher's RSA Attack
Affected systems TLS/SSL servers supporting RSA key exchange (PKCS#1 v1.5); affected vendors include F5, Citrix, Cisco, Radware, Bouncy Castle, and others (disclosed 2017)
First published Original Bleichenbacher attack: 1998; ROBOT rediscovery: December 2017

Overview

The ROBOT Attack (Return Of Bleichenbacher's Oracle Threat) is a practical exploitation of a cryptographic weakness first described by Daniel Bleichenbacher in 1998. It targets TLS servers that use RSA with PKCS#1 v1.5 padding for key exchange. Despite being nearly two decades old, the vulnerability was found actively present in major commercial TLS implementations when researchers revisited it in 2017.

The core issue is that certain servers reveal, through different error messages, timing differences, or behavioural discrepancies, whether an RSA-encrypted ciphertext has valid PKCS#1 v1.5 padding. This information leakage constitutes an oracle that an attacker can query thousands to millions of times to reconstruct plaintext or forge signatures — without ever possessing the server's private key.

How it works

RSA PKCS#1 v1.5 (defined in RFC 2313 and later RFC 8017) specifies that a padded message must begin with the byte sequence 0x00 0x02, followed by non-zero random padding bytes and a 0x00 separator. In TLS RSA key exchange, the client encrypts the pre-master secret using the server's public RSA key with this padding scheme.

Bleichenbacher's adaptive chosen-ciphertext attack works as follows:

  • Oracle identification: The attacker identifies that the target server responds differently (different alert type, different timing, or connection behaviour) depending on whether a submitted RSA ciphertext decrypts to a value with conformant PKCS#1 v1.5 padding.
  • Ciphertext blinding: The attacker intercepts a legitimate RSA-encrypted ciphertext (e.g., captured from a TLS handshake) and multiplies it by chosen blinding factors modulo the server's public modulus n, producing modified ciphertexts that the server will decrypt.
  • Iterative narrowing: By submitting thousands to millions of crafted ciphertexts and observing oracle responses, the attacker progressively narrows the range of possible plaintext values using interval arithmetic, ultimately recovering the original plaintext.
  • Signature forgery: Because RSA signing and decryption are mathematically equivalent operations, the same oracle can be exploited to produce valid RSA signatures for arbitrary messages, impersonating the server.
  • No private key required: The entire attack is performed using only the server's public key and the oracle; the private key is never recovered directly.

Modern variants identified in 2017 required as few as ~17,000 oracle queries due to implementation-specific timing side-channels, compared to the ~1,000,000 queries in the original theoretical analysis. In some cases, vulnerabilities arose from incorrect error-handling code that had been present for over a decade in enterprise load balancers and TLS termination appliances.

The attack applies exclusively to TLS cipher suites that use RSA key exchange (e.g., TLS_RSA_WITH_AES_128_CBC_SHA). It does not affect cipher suites using Diffie-Hellman or ECDHE key exchange, which provide forward secrecy.

Business impact

A successful ROBOT exploitation has several serious consequences:

  • Passive session decryption: An attacker who has recorded TLS traffic encrypted with a vulnerable RSA key exchange can retroactively decrypt that traffic, exposing credentials, session tokens, and sensitive application data.
  • Active man-in-the-middle: Real-time decryption of TLS sessions allows interception and modification of communications without detection.
  • RSA signature forgery: Attackers can forge TLS server signatures, undermining server authentication and enabling impersonation attacks against clients.
  • Regulatory exposure: Disclosure of encrypted data due to cryptographic failure may trigger breach notification obligations under GDPR, PCI-DSS, HIPAA, and similar frameworks.
  • Reputational damage: Public disclosure of a long-standing cryptographic vulnerability in production systems, particularly one with a 20-year history, carries significant reputational risk.

How to fix it

  1. Disable RSA key exchange cipher suites: Remove all TLS_RSA_* cipher suites from your TLS configuration. These cipher suites are the prerequisite for the attack. Only retain cipher suites that use ephemeral Diffie-Hellman (DHE) or elliptic-curve Diffie-Hellman (ECDHE) key exchange, which also provide forward secrecy.
  2. Apply vendor patches: If removing RSA key exchange immediately is not feasible, apply all vendor-issued patches for your TLS implementation or appliance. Consult the CVE list associated with ROBOT for your specific product (F5 BIG-IP, Citrix NetScaler, Cisco ACE, etc.).
  3. Implement constant-time RSA decryption: For TLS library developers, ensure RSA PKCS#1 v1.5 decryption errors are handled in constant time with a randomly generated pre-master secret substitute (per the countermeasure described in RFC 5246 Section 7.4.7.1 and updated guidance in RFC 8446).
  4. Adopt TLS 1.3: TLS 1.3 (RFC 8446) removes RSA key exchange entirely and mandates forward-secret key exchange, eliminating this class of vulnerability by design.
  5. Audit TLS configuration regularly: Use automated scanning to confirm that no RSA key exchange cipher suites remain enabled after configuration changes or software upgrades.
  6. Review certificate usage: If your RSA certificate was used with vulnerable cipher suites and an attacker may have recorded traffic, consider rotating the certificate and revoking the old one, though note this does not protect already-recorded sessions decryptable via the oracle.

References

Frequently asked questions

ROBOT (Return Of Bleichenbacher's Oracle Threat) is a padding oracle attack against TLS servers that use RSA PKCS#1 v1.5 key exchange. By exploiting observable differences in how a server responds to crafted RSA ciphertexts, an attacker can decrypt recorded TLS sessions or forge RSA signatures without possessing the server's private key.

Supporting TLS 1.2 alone does not make a server vulnerable. Vulnerability depends on whether TLS_RSA_* cipher suites (RSA key exchange) are enabled and whether the underlying implementation has the padding oracle flaw. Servers using only ECDHE or DHE cipher suites, or TLS 1.3 exclusively, are not affected.

The number of oracle queries varies by implementation. The original 1998 Bleichenbacher analysis estimated up to one million queries. The 2017 ROBOT research demonstrated practical attacks requiring as few as 17,000 queries against specific vulnerable implementations, making real-time exploitation feasible.

Yes. Forward-secret cipher suites (ECDHE, DHE) generate ephemeral session keys and do not rely on RSA decryption for key exchange, so the Bleichenbacher oracle is not applicable. Disabling RSA key exchange cipher suites and using only ECDHE/DHE is the primary remediation.

Yes. TLS 1.3 removes RSA key exchange entirely from the protocol specification and mandates forward-secret key exchange, eliminating the class of vulnerability that ROBOT exploits by design.

Certificate rotation does not fix the underlying oracle vulnerability and does not protect traffic that was already recorded while the vulnerable configuration was active. The correct fix is to disable RSA key exchange cipher suites and apply vendor patches. Certificate rotation is an additional measure if key compromise is suspected.