The 2018 Pwnie Winner For Best Cryptographic Attack

Return Of Bleichenbacher’s Oracle Threat

Credit: Hanno Böck, Juraj Somorovsky, and Craig Young

Consider Hanno Böck’s M.O.: you’ve got some extremely basic cryptographic vulnerability that no academic team is paying attention to anymore, because who could be stupid enough to have that problem anymore? Hanno takes the guesswork out of this and just asks the Internet: is it possible that people are actually running web servers that use zero as their AES-GCM nonce? And, long story short, later that year Hanno and Sean Devlin are on stage at Black Hat giving a talk whose slides are hosted on the website of an unsuspecting GCHQ. This is just how Hanno works.

So, at some point last year, Hanno and friends decided to ask the Internet another question: do web servers really still have RSA padding oracles, the kind Daniel Bleichenbacher discovered back in 1998? It’s 20 years later! We’ve dealt with that problem by now, right?

And the result is a Bleichenbloodbath.

They’re publishing documents signed with Facebook’s private key (not once, but twice, breaking Facebook’s fix for the bug). They’ve killed the RSA on F5 Big-IP boxes. Does anyone still use Radware? I guess they do, because the ROBOT team broke those. Citrix, too. Cisco’s ACE boxes are broken — Cisco won’t fix them, mind you, because they’re out of support now, but, oh shit, hold on, CISCO.COM is vulnerable too! Paypal’s vulnerable! A chunk of the Alexa top million. BouncyCastle breaks. The custom non-OpenSSL libraries like WolfSSL and MatrixSSL break. Erlang is broken. Cavium is broken. Unisys ClearPath MCP is broken! The MCP! It’s bananas.

The paper is bananas, too. They came up with an released an efficient scanning technique to spot BB’98 flaws, and in developing it discovered a bunch of new tricks for spotting BB’98 in TLS implementations. They released the scanner on Github. And a test tool on their website. And a CTF.