Re: So..... People Using Libraries Are Liable To Get Pwned
There's nothing in the article or the exploit page to say this is comes from a specific library, OSS or not.
Indeed, it does not.
I was one of the folks who had early, embargoed knowledge of ROBOT, and tested some TLS implementations for it (using Böck's Python client, now available on the ROBOT site). Like other Bleichenbacher variants, it's due to the sort of error that's easy to make, and thus can easily appear in independent implementations.
Specifically, the ROBOT oracle is how a server responds to various sorts of malformed messages. When the responses to different malformed messages also differ (in a "useful" way, which I'm not going to try to define here), that leaks some information about the server's RSA private key.[1] By varying the messages you leak different bits. It's pretty easy to determine just how much information is being leaked, so you can tell how many messages would be required to get enough of the key to brute-force the remainder. And that tells you whether an attack is feasible at a given technology-and-money point.
There are a lot of failure paths in RSA key exchange, so it's not hard to see why an implementation might not do exactly the same thing on all of them. This makes RSA Kx fragile, as the ROBOT page (and the article) points out. So removing it, or at least preferring DH/ECDH (preferably their ephemeral variants) suites, is a good option.
This can also be seen as a variation of Moxie Marlinspike's Cryptographic Doom Principle: If you don't validate the message as the very first thing you do, you're going to be sorry. Marlinspike was specifically talking about verifying the MAC, but ensuring the message is well-formed also applies.
Vulnerable ROBOT implementations are written in a variety of languages. Some are relatively old and some quite new. Some are proprietary closed source, and others are open. Some are embedded in appliances, and those are going to be the ones to look out for.
[1] Which is why this attack only applies if the connection is using RSA key exchange. It doesn't work against signing, only against encryption, so it's not a problem if the connection uses DH or ECDH key exchange, as the article mentions at the end.