Jan 9, 2018, 10:25 AM
11 Posts

Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure

  • Category: Domino Server
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 5

My Domino servers have the security finding:
 "Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure"
How am I supposed to fix this? Does IBM have a published fix? If not,
does anyone know when a fix will be forthcoming?
Thanks.

Jan 10, 2018, 6:05 AM
50 Posts
Me too...

We have just upgraded customer servers to the latest 9.0.1FP9 and are also getting these alerts when testing the SSL config via Qualys Labs.

Anyone from IBM care to advise how to mitigate/fix this?

Jan 10, 2018, 7:15 AM
50 Posts
Workaround...

By only enabling ECDHE & DHE cyphers this appears to have worked around the issue and I no longer get the ROBOT errors.

FYI this is the notes.ini I used: SSLCipherSpec=C030009FC02F009EC028006BC0140039C0270067C013

Jan 10, 2018, 10:17 AM
11 Posts
Work around works for me

Thanks. This work around worked. My SSLCipherSpec looks like this:  SSLCipherSpec=C030009FC028006BC0140039

I only enabled the 256 bit ciphers.

Jan 15, 2018, 6:00 AM
87 Posts
Here is the list I used
SSLCipherSpec=C030009FC02F009EC028006BC0270067C014

Per SSL Labs that allows support for IE 8-10.

Howard

Jan 19, 2018, 12:56 PM
190 Posts
ROBOT to be addressed in FP10

Daniel Nashed in his blog mentions that ROBOT is to be addressed in Feature Pack 10:  http://blog.nashcom.de/nashcomblog.nsf/dx/robot-ssltls-attack.htm

Mr. Nashed also makes the point that most browsers would try to use more secure ciphers when they are available, so the actual risk of less secure ciphers may be overstated.