Article Details

New Marvin attack revives 25-year-old decryption flaw in RSA. A flaw related to the PKCS #1 v1.5 padding in SSL servers discovered in 1998 and believed to have been resolved still impacts several widely-used projects today. After extensive testing that measures end-to-end operations, Red Hat researchers discovered several variations of the original timing attack, collectively called the 'Marvin Attack,' which can effectively bypass fixes and mitigations. The problem allows attackers to potentially decrypt RSA ciphertexts, forge signatures, and even decrypt sessions recorded on a vulnerable TLS server. Using standard hardware, the researchers demonstrated that executing the Marvin Attack within just a couple of hours is possible, proving its practicality. Red Hat warns that the vulnerability isn't limited to RSA but extends to most asymmetric cryptographic algorithms, making them susceptible to side-channel attacks. Based on the conducted tests, the following implementations are vulnerable to the Marvin Attack: The Marvin Attack does not have a corresponding CVE despite highlighting a fundamental flaw in RSA decryption, mainly how padding errors are managed, due to the variety and complexity of individual implementations. So, while the Marvin Attack is a conceptual flaw, there isn't a singular fix or patch that can be applied universally, and the problem manifests differently on each project due to their unique codebases and RSA decryption implementation. The researchers advise against using RSA PKCS#1 v1.5 encryption and urge impacted users to seek or request vendors to provide alternative backward compatibility avenues. Simply disabling RSA does not mean you're safe, warns the Q&A section of Marvin Attack's page.  The risk is the same if the RSA key or certificate is used elsewhere on a server that supports it (SMTP, IMAP, POP mail servers, and secondary HTTPS servers). Finally, Red Hat warns that FIPS certification does not guarantee protection against the Marvin Attack, except for Level 4 certification, which ensures good resistance to side-channel attacks. Although there have been no apparent signs of Marvin Attack being used by hackers in the wild, disclosing the details and parts of the tests and fuzzing code increases the risk of that happening shortly. For those interested in diving into the more technical details of the Marvin Attack, a paper published a few months back goes deeper into the problem and the tests conducted to appreciate its impact.