Recent Marvin Attack Exploits a 25-Year-Old RSA Decryption Vulnerability

A flaw tied to the PKCS #1 v1.5 padding in SSL servers, originally identified back in 1998 and assumed to have been resolved, continues to affect various widely-used projects today. Collectively named the ‘Marvin Attack,’ these variations can effectively circumvent fixes and mitigations that have been put in place.

This vulnerability allows potential decryption of RSA ciphertexts, the forging of signatures, and even the decryption of recorded sessions on a vulnerable TLS server. The researchers demonstrated that it’s possible to execute the Marvin Attack using standard hardware within just a couple of hours, underscoring its practicality.

It’s essential to note that this vulnerability isn’t limited to RSA alone but extends to most asymmetric cryptographic algorithms, rendering them susceptible to side-channel attacks.

Despite highlighting a fundamental flaw in RSA decryption, mainly concerning how padding errors are handled, the Marvin Attack lacks a corresponding CVE (Common Vulnerabilities and Exposures) due to the diverse and intricate nature of individual implementations.

Hence, while the Marvin Attack represents a conceptual flaw, there’s no one-size-fits-all fix or patch that can be universally applied. The issue manifests differently across various projects because of their unique codebases and RSA decryption implementations.

As a result, the researchers advise against using RSA PKCS#1 v1.5 encryption and recommend that affected users seek alternative backward compatibility solutions from vendors.

However, it’s crucial to understand that merely disabling RSA does not guarantee safety. The risk remains if the RSA key or certificate is employed elsewhere on a server that supports it, such as SMTP, IMAP, POP mail servers, and secondary HTTPS servers.

Furthermore, FIPS (Federal Information Processing Standards) certification does not provide comprehensive protection against the Marvin Attack, except for Level 4 certification, which ensures robust resistance to side-channel attacks.

Although there have been no apparent indications of malicious exploitation of the Marvin Attack in real-world scenarios, the disclosure of details and portions of the test and fuzzing code heightens the risk of such occurrences in the near future.

For those interested in delving into the more technical aspects of the Marvin Attack, a recent research paper delves deeper into the problem and the tests conducted to assess its impact.