A team of academics has found a new variant of the infamous Bleichenbacher's attack affecting the latest version of the TLS protocol, TLS1.3. TLS1.3 was released last spring and was considered to be secure.
According to the researchers, the latest variant of Bleichenbacher's attack can allow attackers to intercept the TLS traffic and steal data. In some scenarios, it can even downgrade the TLS1.3 protocol to TLS1.2, thus making it easy for other variations of Bleichenbacher's attack to work without hindrance.
"We tested nine different TLS implementations against cache attacks and seven were found to be vulnerable: OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS," said the researchers, ZDNet reported.
Type of flaws leveraged
Researchers found that the following CVE identifiers - CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870 - can be exploited to enable the new variant of Bleichenbacher's attack.
This new cryptographic attack is a new version of the original attack that was named after Swiss cryptographer Daniel Bleichenbacher. He demonstrated the first attack against systems using RSA encryption with the PKCS#1 v1 encoding function.
Over the years, cryptographers have come up with other variations of this 19-year-old attack such as ROBOT and DROWN.
Where does the problem lie?
The failure of hardware and software vendors to follow the countermeasures - that are required to make the attempts to guess the RSA decryption key harder - is one of the primary reasons for the persistence of such attacks over the years.
The countermeasures have been defined in Section 22.214.171.124 of TLS standard (RFC 5246). Due to the failure of the vendors to implement proper mitigation steps, the Bleichenbacher's attack can affect any vulnerable TLS-capable servers, routers, firewalls, VPNs and coding libraries.
In addition to TLS 1.3, the new variant of Bleichenbacher's attack also affects Google’s new QUIC encryption protocol.
"The attack leverages a side-channel leak via cache access timings of these implementations in order to break the RSA key exchanges of TLS implementations," researchers explained.