Skip to main content

How to mitigate Marvin attack on TLS

How to mitigate Marvin's attack on TLS

What is the Marvin Attack?

The Marvin attack is a vulnerability that allows performing RSA decryption and signing operations as the attacker has the ability to observe the time of the decryption operation with the private key.

Vulnerability Details:

  • The attacker is able to decrypt RSA ciphertexts and forge signatures.
  • For a TLS server that defaults to RSA encryption key exchanges, an attacker can record a session and decrypt it later.
Affected implementations
OpenSSL (TLS level) Timing Oracle in RSA Decryption CVE-2022-4304
OpenSSL (API level) Make RSA decryption API safe to use with PKCS#1 v1.5 padding No CVE
GnuTLS (TLS level) A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. CVE-2023-0361
NSS (TLS level) Improve constant-timeness in RSA operations. released in 3.61; significant improvement, but not a complete fix, remains vulnerable CVE-2023-4421
pyca/cryptography Attempt to mitigate Bleichenbacher attacks on RSA decryption ; ineffective, requires OpenSSL level fix instead CVE-2020-25659
M2Crypto Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) ; ineffective, requires OpenSSL level fix instead CVE-2020-25657
OpenSSL-ibmca Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0 No CVE

How to test for this vulnerability?
Using OpenSSL you can run the command below to check the cipher suites implemented on your web server:

openssl s_client -connect <FQDN web address> :443 -servername <FQDN web address> | openssl x509 -text -noout | grep "Signature Algorithm"

If RSA PKCS#1 v1.5 is being used, the signature algorithm might be listed as something similar to md5WithRSAEncryption, sha1WithRSAEncryption, or sha256WithRSAEncryption. These algorithms indicate that RSA PKCS#1 v1.5 is used for the signature.


How to mitigate this vulnerability?

  • Stop using PKCS v1.5.
  • Disabling the cipher suites that use RSA encryption.