VMware Response to VU#144389 “ROBOT attack”
search cancel

VMware Response to VU#144389 “ROBOT attack”


Article ID: 328940


Updated On:


VMware vCenter Server


The VMware Security Engineering, Communications and Response group (vSECR) have investigated the impact that VU#144389 may have on VMware products.

TLS implementations may disclose side channel information through discrepancies between valid and invalid PKCS#1 padding, and may therefore be vulnerable to Bleichenbacher-style attacks. This attack is known as a "ROBOT attack".


vSECR have evaluated this vulnerability and determined that all of the following conditions must be met for this vulnerability to be exploitable:
  • Use of TLS cipher modes that use RSA encryption. 
  • RabbitMQ installations that rely on RSA cipher suites and run on Erlang/OTP versions prior to and 20.1.7. 
Note: Qualys can return a false positive for the ROBOT vulnerability due to a race condition on ESXi port 5989. This is caused by both the Qualys scanner and ESXi using a 5-second timeout.

To prevent this false positive from appearing on ESXi port 5989:
  1. Connect to the ESXi with SSH and root credentials.
  2. Navigate to /etc/sfcb.
  3. Backup the sfcb.cfg file.
  4. Open sfcb.cfg in a text editor.
  5. Add this line:
httpSelectTimeout: 8
  1. Save and close the file.

Unaffected Products

It has been determined that exploitation is not possible in the following products as one or more of the aforementioned requirements are not met. If a specific version number is not listed next to a product entry, then that entry refers to all supported versions of that product.
  • VMware ESXi
  • Site Recovery Manager
  • vCloud Director for Service Providers
  • vRealize Automation
  • vRealize Business for Cloud
  • vRealize Orchestrator
  • vRealize Operations
  • vCloud Usage Meter
  • VMware Horizon 7
  • Unified Access Gateway
Note: Automated vulnerability scanners may report that these products are vulnerable even though the issue is not exploitable. 

Change Log

03-09-2018: Initial draft
06-13-2018: Updated to include VMware Horizon 7 in the list of unaffected products
06-14-2019: Updated to include Unified Access Gateway in the list of unaffected products