TLS robot vulnerability  in DEVTEST

book

Article ID: 144183

calendar_today

Updated On:

Products

CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization

Issue/Introduction

Need help with security with a TLS robot vulnerability 

Environment

Release : 10.5

Component : CA Service Virtualization

Resolution

ROBOT only affects TLS cipher modes that use RSA encryption. To mitigate this vulnerability, we have to disable RSA key exchange ciphers. We can do this by modifying the list of server-supported ciphers. Per the official link https://robotattack.org, disabling RSA encryption means disabling all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by the attack.



DevTest supports a property "lisa.server.https.cipher.suites" that lets you restrict the enabled cipher suites for DevTest. But there are certain rules for this property depending on the ciphers supported by the configured JVM. For example,

If this property is not included in the properties file or if the property is included but with an empty value, then the default JVM-supported ciphers are enabled.
If none of the cipher names that are specified in this property are supported by the JVM, then the default JVM-supported ciphers are enabled.
If at least one cipher name specified in this property is supported by the JVM, then those ciphers alone are enabled.
So it depends on what ciphers their JVM supports. For more details refer to the below link.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/continuous-testing/devtest-solutions/10-5/reference/property-descriptions/custom-property-files/local-properties-file.html#concept.dita_3f01127616df0b8bb3296906a21a3df06a484f00_SSLProperties



Below is the property to used to include the non-vulnerable cipher suites in local.properties.

lisa.server.https.cipher.suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,\ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,\ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,\ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,\ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,\ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Note: When using the "\" at the end of the line, absolutely no spaces or other characters may follow the "\" -- the "\" must be the last character on the line. Otherwise, the property value will truncate at the first illegal character. I would recommend opening Workstation and reviewing the value of lisa.server.https.cipher.suites to make sure the complete set of cipher suites was assigned.