A flaw related to the PKCS #1 v1.5 padding in SSL servers discovered in 1998 and believed to have been resolved still impacts several widely-used projects today.
After extensive testing that measures end-to-end operations, Red Hat researchers discovered several variations of the original timing attack, collectively called the ‘Marvin Attack,’ which can effectively bypass fixes and mitigations.
The problem allows attackers to potentially decrypt RSA ciphertexts, forge signatures, and even decrypt sessions recorded on a vulnerable TLS server.
Using standard hardware, the researchers demonstrated that executing the Marvin Attack within just a couple of hours is possible, proving its practicality.
Red Hat warns that the vulnerability isn’t limited to RSA but extends to most asymmetric cryptographic algorithms, making them susceptible to side-channel attacks.
Based on the conducted tests, the following implementations are vulnerable to the Marvin Attack:
- OpenSSL (TLS level): Timing Oracle in RSA Decryption – CVE-2022-4304
- OpenSSL (API level): Make RSA decryption API safe to use with PKCS#1 v1.5 padding – No CVE
- GnuTLS (TLS level): Response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. – CVE-2023-0361
- NSS (TLS level): Improve constant-timeness in RSA operations. – CVE-2023-4421
- pyca/cryptography: Attempt to mitigate Bleichenbacher attacks on RSA decryption; found to be ineffective; requires an OpenSSL level fix instead. – CVE-2020-25659
- M2Crypto: Mitigate the Bleichenbacher timing attacks in the RSA decryption API; found to be ineffective; requires an OpenSSL level fix instead. – CVE-2020-25657
- OpenSSL-ibmca: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0 – No CVE
- Go: crypto/rsa DecryptPKCS1v15SessionKey has limited leakage – No CVE
- GNU MP: mpz_powm_sec leaks zero high order bits in result – No CVE
The Marvin Attack does not have a corresponding CVE despite highlighting a fundamental flaw in RSA decryption, mainly how padding errors are managed, due to the variety and complexity of individual implementations.
So, while the Marvin Attack is a conceptual flaw, there isn’t a singular fix or patch that can be applied universally, and the problem manifests differently on each project due to their unique codebases and RSA decryption implementation.
The researchers advise against using RSA PKCS#1 v1.5 encryption and urge impacted users to seek or request vendors to provide alternative backward compatibility avenues.
Simply disabling RSA does not mean you’re safe, warns the Q&A section of Marvin Attack’s page.
The risk is the same if the RSA key or certificate is used elsewhere on a server that supports it (SMTP, IMAP, POP mail servers, and secondary HTTPS servers).
Finally, Red Hat warns that FIPS certification does not guarantee protection against the Marvin Attack, except for Level 4 certification, which ensures good resistance to side-channel attacks.
Although there have been no apparent signs of Marvin Attack being used by hackers in the wild, disclosing the details and parts of the tests and fuzzing code increases the risk of that happening shortly.
For those interested in diving into the more technical details of the Marvin Attack, a paper published a few months back goes deeper into the problem and the tests conducted to appreciate its impact.