Question 1: Is Pulse Secure Virtual Traffic Manager vulnerable to Bleichenbacher's Oracle (ROBOT attack)?
Answer: No. All supported releases of vTM (10.4r3, 17.2r2, 17.4 18.1, 18.2, 18.3r1 , 19.1, 19.2) are not vulnerable to Bleichenbacher's Oracle (ROBOT attack).Question 2: A security scan report is stating the vTM is vulnerable. How is this possible?
Answer: Some possible reasons for this:
Question 3: I am not convinced. Can I have a second opinion?
- Website is not hosted on the vTM.
- There is another network element (SSL proxy, DPI firewall) between equipment that is used to perform the security scan and vTM
- Security scan was performed with measurement error
Answer: Yes. There is an official python tool to test ROBOT attack vulnerability at https://robotattack.org/Question 4: Python tool says "not vulnerable", but audit report says "vulnerable". What now?
Answer: First, check that scan/measurement was done for the correct host, and there are no SSL network elements in front of vTM. Second, try to ask your auditor about how scan is performed. One particularly common error is to (incorrectly) assume that any SSL server that supports RSA is always vulnerable to Bleichenbacher's Oracle (ROBOT attack). If that is the case for the scan report you have received, and there is no recourse with auditor, you can disable all RSA ciphers on the vTM, by, for example, setting System > Global > SSL Configuration > ssl!cipher_suites to: "TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384". Note that this will severely impact compatibility with older browsers and clients.