Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Vulnerability Note VU#144389

43 views
Skip to first unread message

Khandelwal, Kushal

unread,
Jan 17, 2018, 7:37:19 AM1/17/18
to dev-se...@lists.mozilla.org, Rao, Pankaj

Hello Mozilla Team

We are using Mozilla NSS in our product for TLS 1.2 implementation. Recently our clients have enquired about vulnerability VU#144389 with following description:

Summary : TLS implementations may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding

Link to vulnerability details:
https://www.kb.cert.org/vuls/id/144389


Is Mozilla code affected with this vulnerability?

Thanks
Kushal

Hanno Böck

unread,
Jan 18, 2018, 5:49:18 PM1/18/18
to dev-se...@lists.mozilla.org
Hi,

On Wed, 17 Jan 2018 12:36:42 +0000
"Khandelwal, Kushal" <Kushal_K...@bmc.com> wrote:

> Summary : TLS implementations may disclose side channel information
> via discrepencies between valid and invalid PKCS#1 padding
>
> Link to vulnerability details:
> https://www.kb.cert.org/vuls/id/144389
>
> Is Mozilla code affected with this vulnerability?

I'm the discoverer of this attack.

This is not straightforward to answer. ROBOT is a re-discovery of
so-called Bleichenbacher attacks. We only focussed on non-timing
variations of this vuln. NSS is not vulnerable to that.

However Bleichenbacher attacks are also possible with timing - and NSS
is vulnerable and this has been known for a long time, here's the bug
report:
https://bugzilla.mozilla.org/show_bug.cgi?id=577498

This is relatively complicated to exploit over a real network. Also I
should note that there's a related timing issue due to variable sized
bignums that affects practically every TLS implementation out there.

This all boils down to RSA encryption in PKCS #1 v1.5 being incredibly
fragile. Our recommendation when we disclosed ROBOT was to just turn
that off and always rely on forward secrecy-enabled ciphers.

--
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
0 new messages