What is the Marvin Attack?
The Marvin attack is a vulnerability that allows performing RSA decryption and signing operations as the attacker has the ability to observe the time of the decryption operation with the private key.
- The attacker is able to decrypt RSA ciphertexts and forge signatures.
- For a TLS server that defaults to RSA encryption key exchanges, an attacker can record a session and decrypt it later.
|OpenSSL (TLS level)
|Timing Oracle in RSA Decryption
|OpenSSL (API level)
|Make RSA decryption API safe to use with PKCS#1 v1.5 padding
|GnuTLS (TLS level)
|A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
|NSS (TLS level)
|Improve constant-timeness in RSA operations. released in 3.61; significant improvement, but not a complete fix, remains vulnerable
|Attempt to mitigate Bleichenbacher attacks on RSA decryption; ineffective, requires OpenSSL level fix instead
|Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657); ineffective, requires OpenSSL level fix instead
|Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0
How to test for this vulnerability?
Using OpenSSL you can run the command below to check the cipher suites implemented on your web server:
openssl s_client -connect <FQDN web address>:443 -servername <FQDN web address> | openssl x509 -text -noout | grep "Signature Algorithm"
If RSA PKCS#1 v1.5 is being used, the signature algorithm might be listed as something similar to md5WithRSAEncryption, sha1WithRSAEncryption, or sha256WithRSAEncryption. These algorithms indicate that RSA PKCS#1 v1.5 is used for the signature.
How to mitigate this vulnerability?
- Stop using PKCS v1.5.
- Disabling the cipher suites that use RSA encryption.