A new type of vulnerability in the software implementation of PKCS#1 v1.5 padding scheme for RSA key exchange, which was previously confirmed to be susceptible, has been discovered and still can be exploited. This attack has been named as “Marvin Attack”.
This vulnerability was first discovered by a Swiss cryptographer, Bleichenbacher, in 1998. According to the attack, an SSL/TLS server client can use server error responses to learn about the padding to decrypt the protected message.
However, after many years, this vulnerability resurfaced in 2017 when security researchers identified more than eight IT vendors and open-source projects that were found to be vulnerable to a variation of the original attack.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Marvin Attack
Several CVEs have been assigned based on the implementation of the PKCS#1 v1.5. Threat actors can use the “Marvin Attack” to decrypt RSA ciphertexts, forge signatures, and even decrypt sessions recorded on a vulnerable TLS server.
In addition, reports also indicate that this vulnerability is not just limited to RSA but extends to almost all of the asymmetric cryptographic algorithms that are susceptible to side-channel attacks.
| Implementation | Description | CVE ID | Severity |
| OpenSSL (TLS level) | Timing Oracle in RSA Decryption | CVE-2022-4304 | 5.9 |
| OpenSSL (API level) | Make RSA decryption API safe to use with PKCS#1 v1.5 padding | no CVE | N/A |
| GnuTLS (TLS level) | A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. | CVE-2023-0361 | 7.4 |
| NSS (TLS level) | A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. | CVE-2023-4421 | N/A |
| pyca/cryptography | Attempt to mitigate Bleichenbacher attacks on RSA decryption; ineffective, requires OpenSSL level fix instead | CVE-2020-25659 | 5.9 |
| M2Crypto | Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657); ineffective, requires OpenSSL level fix instead | CVE-2020-25657 | 5.9 |
| OpenSSL-ibmca | Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0 | no CVE | N/A |
Source: RedHat
“We would consider any use of generic PKCS#1 v1.5 API that doesn’t use the Marvin workaround internally to be a case of CWE-242 (“Use of Inherently Dangerous Function”) and, without a verified side-channel free code on the calling side, an automatic vulnerability for the calling code.” reads the paper published by the researchers.
The complete research paper has been published by RedHat, which details the threat vector, attack pattern, and additional information about this vulnerability.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.