search cancel

ROBOT Vulnerability in IM

book

Article ID: 200199

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

Following a pendtration test executed against CA IDentity Manager (Symantec IGA) the "RETURN OF BLEICHENBACHERS ORACLE THREAT (ROBOT)INFORMATION DISCLOSURE" vulnerability was falgged.

 

Cause

Non-Issue

Environment

Release : 14.2

Component : IdentityMinder(Identity Manager)

Resolution

RETURN OF BLEICHENBACHERS ORACLE THREAT (ROBOT)INFORMATION DISCLOSURE

This only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. See the following article for more information.

https://www.middlewareinventory.com/blog/robot-return-of-bleichenbacher-oracle-threat/

The mitigation recommended is to disable RSA encryption. Specifically, all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.

For information on securing TLS please refer to the product documentation.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-2/reference/advanced-configuration-options/domain-configuration/tls-configuration.html