A serious vulnerability has been discovered in a widely used encryption method, putting many systems at risk. In his paper “Everlasting ROBOT: the Marvin Attack”, cryptographer Hubert Kario has revealed flaws in implementations of RSA public-key encryption using PKCS#1 v1.5 padding. This padding scheme was previously thought to be immune to a well-known attack discovered in 1998 by a Swedish cryptographer Daniel Bleichenbacher.
The Persistent Threat: Bleichenbacher's Legacy
Bleichenbacher showed in 1998 that an attacker could exploit information leaked through server error responses to decrypt RSA-encrypted messages.
This type of attack has reappeared many times, including in 2017 when researchers identified 8 IT vendors and open-source projects vulnerable to a variant called ROBOT, which stands for Return Of Bleichenbacher's Oracle Threat.
Marvin Attack: Decrypting the Paranoid Android
Kario has now demonstrated that many implementations of RSA encryption using PKCS#1 v1.5 padding remain vulnerable to Bleichenbacher-style attacks, despite fixes intended to address previous vulnerabilities. He calls his new attack technique Marvin, referring to “The Paranoid Android” from The Hitchhiker's Guide to the Galaxy.
By carefully measuring the time taken by a server to process specially crafted RSA ciphertexts, an attacker can eventually decrypt protected messages. This breaks the confidentiality of communications encrypted with vulnerable RSA implementations. Attackers may also be able to forge digital signatures in some cases.
Vulnerable Implementations Exposed
Kario tested the attack against multiple libraries and found decryption was possible in under 9 hours in one case. He recommends disabling support for RSA encryption key exchanges to prevent exploitation. Modern TLS clients mostly use Elliptic Curve Diffie Hellman instead. However, legacy compatibility requirements may make this difficult in some environments.
The paper identifies at least 7 implementations confirmed to be vulnerable. Some have patches available, but Kario believes most implementations of the PKCS#1 v1.5 standard contain flaws enabling Bleichenbacher-style attacks.
Anyone using systems relying on RSA encryption, especially with PKCS#1 v1.5 padding, should check with vendors about mitigations and consider disabling RSA where possible.
Red Hat has said that this vulnerability goes beyond RSA and many asymmetric cryptographic algorithms could be targeted, too. Here is a list of the implementations that are vulnerable to the Marvin Attack:
- OpenSSL (TLS level): Timing Oracle in RSA Decryption – CVE-2022-4304
- OpenSSL (API level): Make RSA decryption API safe to use with PKCS#1 v1.5 padding – No CVE
- GnuTLS (TLS level): Response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. - CVE-2023-0361
- NSS (TLS level): Improve constant-timeness in RSA operations. - CVE-2023-4421
- pyca/cryptography: Attempt to mitigate Bleichenbacher attacks on RSA decryption; found to be ineffective; requires an OpenSSL level fix instead. - CVE-2020-25659
- M2Crypto: Mitigate the Bleichenbacher timing attacks in the RSA decryption API; found to be ineffective; requires an OpenSSL level fix instead. - CVE-2020-25657
- OpenSSL-ibmca: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0 – No CVE
- Go: crypto/rsa DecryptPKCS1v15SessionKey has limited leakage – No CVE
- GNU MP: mpz_powm_sec leaks zero high order bits in result – No CVE
Stay Safe Online
To protect yourself until patches are released, use a trustworthy VPN service like NordVPN or ExpressVPN when connected to public Wi-Fi or unknown networks. VPNs encrypt your internet traffic to keep it private.
Also be sure to run updated antivirus software from a reputable provider like Bitdefender or Kaspersky. This will help detect and block malware that may exploit the Marvin Attack. Keep all your devices and software updated with the latest patches as they become available.
Stay Informed and Take Action
Unfortunately, there’s no single fix for these vulnerabilities and each project requires a unique solution because they have different codebases and RSA decryption implementation. If you’re currently using an affected implementation, we recommend you read the Q&A section of Red Hat to understand what you should do.