How to resolve the ROBOT vulnerability on Server 2008 R2 ?

I have discovered by using vulnerability test software that 2 windows 2008 servers seemed to be vulnerable to ROBOT Attacks (Return of Bleinchenbacher's Oracle Threat),  I've been reading several articles with no answers.  Is there a Microsoft patch that fixes this (Windows update)  or is there a proper way to disable the RSA ciphers.   There seems to be a lot of info out there but nothing related to fixing the issues on a windows 2008 R2 server.

Can anyone point me int the right directions ?
Omar UrenaSystems AdminisitrorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
Only patches are here: https://robotattack.org/#patches
There is no MS patch for this obviously because the ROBOT targets to webservers.

But you can still do some steps to prevent this by disabling RSA encryption.

Pretty nice explanation is here: https://security.stackexchange.com/questions/177337/what-makes-servers-vulnerable-to-return-of-bleichenbachers-oracle-threat-robot

Mitigation steps:
Ideally, following both mitigation steps should be taken.
1. Update your server; patches are provided by most of the vendors. If you patch your server your immune to ROBOT vulnerability.
Note: If the patch is not available from your vendor, you can mitigate with 2nd step.
2. Disable RSA key exchange ciphers (Recommended): But if you want to keep support for RSA key exchange ciphers. Your server should at least support forward secrecy with modern browsers. (keep RSA ciphers last)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Microsoft is not affected in default configurations.
https://www.kb.cert.org/vuls/id/144389
https://www.kb.cert.org/vuls/id/CHEU-AT5U6T

You can transition to encryption configurations that don’t use RSA for key exchange. There are multiple alternatives, one being Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Windows and browsers such as Chrome, Edge, and Safari already prioritize ECDHE so the risk of disruption is low. Also Forward secrecy as a better cipher mode than RSA encryption. That means that even if the key of a server gets stolen by an attacker this doesn’t allow the attacker to decrypt traffic from the past. The forward secrecy cipher modes use Diffie Hellman or Elliptic Curve Diffie Hellman.

If you want to be sure, you can look at this which has a PS to configure server to support TLS 1.1 and TLS 1.2 protocol with Forward secrecy only. Specifically for the key exchange, remove the "PKCS" to disable RSA encryption.
# Set KeyExchangeAlgorithms configuration.
New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null
$secureKeyExchangeAlgorithms = @(
  'Diffie-Hellman',
  'ECDH',
 'PKCS'
)
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

For the next version of TLS, 1.3, will not support RSA key exchange at all.
0
btanExec ConsultantCommented:
For author advice
0
btanExec ConsultantCommented:
No further inputs received.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.