What is the Marvin Attack?
The Marvin attack is a vulnerability that allows performing RSA decryption and signing operations as the attacker has the ability to observe the time of the decryption operation with the private key.
- The attacker is able to decrypt RSA ciphertexts and forge signatures.
- For a TLS server that defaults to RSA encryption key exchanges, an attacker can record a session and decrypt it later.
|OpenSSL (TLS level)||Timing Oracle in RSA Decryption||CVE-2022-4304|
|OpenSSL (API level)||Make RSA decryption API safe to use with PKCS#1 v1.5 padding||No CVE|
|GnuTLS (TLS level)||A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.||CVE-2023-0361|
|NSS (TLS level)||Improve constant-timeness in RSA operations. released in 3.61; significant improvement, but not a complete fix, remains vulnerable||CVE-2023-4421|
|pyca/cryptography||Attempt to mitigate Bleichenbacher attacks on RSA decryption; ineffective, requires OpenSSL level fix instead||CVE-2020-25659|
|M2Crypto||Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657); ineffective, requires OpenSSL level fix instead||CVE-2020-25657|
|OpenSSL-ibmca||Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0||No CVE|
How to test for this vulnerability?
Using OpenSSL you can run the command below to check the cipher suites implemented on your web server:
openssl s_client -connect <FQDN web address>:443 -servername <FQDN web address> | openssl x509 -text -noout | grep "Signature Algorithm"
If RSA PKCS#1 v1.5 is being used, the signature algorithm might be listed as something similar to md5WithRSAEncryption, sha1WithRSAEncryption, or sha256WithRSAEncryption. These algorithms indicate that RSA PKCS#1 v1.5 is used for the signature.
How to mitigate this vulnerability?
- Stop using PKCS v1.5.
- Disabling the cipher suites that use RSA encryption.