Skip to main content

Certificate Services Support

How to mitigate Marvin's attack on TLS

What is the Marvin Attack?

The Marvin attack is a vulnerability that allows performing RSA decryption and signing operations as the attacker has the ability to observe the time of the decryption operation with the private key.

Vulnerability Details:
  • The attacker is able to decrypt RSA ciphertexts and forge signatures.
  • For a TLS server that defaults to RSA encryption key exchanges, an attacker can record a session and decrypt it later.
 Affected implementations 
OpenSSL (TLS level)Timing Oracle in RSA DecryptionCVE-2022-4304
OpenSSL (API level)Make RSA decryption API safe to use with PKCS#1 v1.5 paddingNo CVE
GnuTLS (TLS level)A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.CVE-2023-0361
NSS (TLS level)Improve constant-timeness in RSA operations. released in 3.61; significant improvement, but not a complete fix, remains vulnerableCVE-2023-4421
pyca/cryptographyAttempt to mitigate Bleichenbacher attacks on RSA decryption; ineffective, requires OpenSSL level fix insteadCVE-2020-25659
M2CryptoMitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657); ineffective, requires OpenSSL level fix insteadCVE-2020-25657
OpenSSL-ibmcaConstant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0No CVE
 

How to test for this vulnerability?
Using OpenSSL you can run the command below to check the cipher suites implemented on your web server:

openssl s_client -connect <FQDN web address>:443 -servername <FQDN web address> | openssl x509 -text -noout | grep "Signature Algorithm"

If RSA PKCS#1 v1.5 is being used, the signature algorithm might be listed as something similar to md5WithRSAEncryption, sha1WithRSAEncryption, or sha256WithRSAEncryption. These algorithms indicate that RSA PKCS#1 v1.5 is used for the signature.


How to mitigate this vulnerability?

  • Stop using PKCS v1.5. 
  • Disabling the cipher suites that use RSA encryption.
Entrust Enters Exclusive Discussions to Acquire Onfido
Close