A groundbreaking discovery by Red Hat researchers has unveiled the continued threat posed by a vulnerability linked to the PKCS #1 v1.5 padding in SSL servers. While this issue was identified in 1998 and believed to have been rectified, the original fix appears not as robust as once thought.
This vulnerability has brought to light multiple variations of the original timing attack, now collectively called the "Marvin Attack," that could sidestep the previously installed safeguards. What makes the Marvin Attack particularly worrisome is its potential: attackers could decrypt RSA ciphertexts, decipher vulnerable TLS server recorded sessions, and even forge signatures.
Researchers illustrated the imminent threat and confirmed they could reproduce the attack within hours using commonplace hardware. This revelation accentuates not only the feasibility of the attack but also the potential risks, as malicious actors don't need specialized equipment to exploit this vulnerability.
"While the main venue of attack are TLS servers, the core issues that caused its wide spread are applicable to most asymmetric cryptographic algorithms (Diffie-Hellman, ECDSA, etc.), not just to RSA," according to Red Hat researchers' advisory. "Lessons learned are also applicable to testing the majority of cryptographic algorithms that can be vulnerable to side-channel attacks, not just public key cryptography."
Expanding the horizon of concern, the flaw does not confine its impacts to just the RSA. In fact, most asymmetric encryption algorithms could be exposed to such side-channel attacks.
The following projects have been identified as impacted:
OpenSSL (TLS level): Timing Oracle in RSA Decryption – CVE-2022-4304
OpenSSL (API level): Make RSA decryption API safe to use with PKCS#1 v1.5 padding
GnuTLS (TLS level): A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding - CVE-2023-0361
NSS (TLS level): Improve constant-timeness in RSA operations. released in 3.61; significant improvement, but not a complete fix, remains vulnerable - CVE-2023-4421
pyca/cryptography: Attempt to mitigate Bleichenbacher attacks on RSA decryption; ineffective; requires an OpenSSL level fix instead - CVE-2020-25659
M2Crypto: Mitigate the Bleichenbacher timing attacks in the RSA decryption API; ineffective, requires an OpenSSL level fix instead - CVE-2020-25657
OpenSSL-ibmca: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0
Go: crypto/rsa DecryptPKCS1v15SessionKey - limited leakage
GNU MP: mpz_powm_sec - leaks zero high order bits in result
Complicating the issue is the absence of a designated CVE for the Marvin Attack, primarily due to the diverse and intricate nature of the implementations. A one-size-fits-all fix remains elusive because of the unique nature of each project's RSA decryption process and codebase.
The researchers advocate against using the vulnerable RSA PKCS #1 v1.5 and urge users to explore backward-compatible alternatives. As stated in the researchers' Q&A on the Marvin Attack page, it's vital to note that merely disabling RSA is insufficient. The risks persist even if the RSA certificate or key finds use elsewhere, such as in IMAP, POP, SMTP mail servers, or other HTTPS servers.
While there is no concrete evidence of the Marvin Attack being exploited in the wild, publicizing the details could inadvertently escalate the risks of potential exploitations. All users and developers are urged to remain vigilant and take appropriate preventive measures.
For consumers, the "Marvin Attack" resurgence raises immediate concerns about online data security. As digital platforms dominate banking, shopping, and work, vulnerabilities in encryption, like RSA, pose tangible risks. Personal data, online banking information, and e-commerce transactions could be exposed.
As this vulnerability allows attackers to "potentially" decrypt RSA cyphertexts with run-of-the-mill hardware, the safety of recorded sessions between you and a vulnerable TLS server should be questioned.
Worse yet, this vulnerability extends beyond good-old RSA and affects most asymmetric cryptographic algorithms, such as Diffie-Hellman and ECDSA, which in turn are widely used in most existing software. So, when fixes start being deployed, you should get patching immediately.
The discovery underscores the importance of layered security approaches. Sole reliance on one encryption or security protocol is inadequate, implying the need for additional measures like two-factor authentication and personal VPNs. In other words, this development emphasizes the need for proactive, adaptive security strategies in our digital interactions.