How to mitigate Marvin's attack on TLS
What is the Marvin Attack?
The Marvin attack is a vulnerability that allows performing RSA decryption and signing operations as the attacker has the ability to observe the time of the decryption operation with the private key.
Vulnerability Details:
- The attacker is able to decrypt RSA ciphertexts and forge signatures.
- For a TLS server that defaults to RSA encryption key exchanges, an attacker can record a session and decrypt it later.
Affected implementations | ||
---|---|---|
OpenSSL (TLS level) | Timing Oracle in RSA Decryption | CVE-2022-4304 |
OpenSSL (API level) | Make RSA decryption API safe to use with PKCS#1 v1.5 padding | No CVE |
GnuTLS (TLS level) | A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. | CVE-2023-0361 |
NSS (TLS level) | Improve constant-timeness in RSA operations. released in 3.61; significant improvement, but not a complete fix, remains vulnerable | CVE-2023-4421 |
pyca/cryptography | Attempt to mitigate Bleichenbacher attacks on RSA decryption ; ineffective, requires OpenSSL level fix instead | CVE-2020-25659 |
M2Crypto | Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) ; ineffective, requires OpenSSL level fix instead | CVE-2020-25657 |
OpenSSL-ibmca | Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0 | No CVE |
How to test for this vulnerability?
Using OpenSSL you can run the command below to check the cipher suites implemented on your web server:
openssl s_client -connect <FQDN web address>
:443
-servername <FQDN web address> | openssl x509 -text -noout | grep "Signature Algorithm"
If RSA PKCS#1 v1.5 is being used, the signature algorithm might be listed as something similar to md5WithRSAEncryption, sha1WithRSAEncryption, or sha256WithRSAEncryption. These algorithms indicate that RSA PKCS#1 v1.5 is used for the signature.
How to mitigate this vulnerability?
- Stop using PKCS v1.5.
- Disabling the cipher suites that use RSA encryption.