Quality Senior Safety Engineer QE Baseos in Red Hat Hubert Cario has discovered that many software implementations of the filling scheme PKCS#1 v1.5 for the exchange of RSA keys, previously believed to be resistant to the well-known attack by Daniel Bleichenbacher, are actually vulnerable.
In 1998, Bleichenbacher demonstrated that the SSL/TLS server client can use information received from the error server’s response to gain enough knowledge about the filling out and deciphering of secure messages.
This vulnerability has reappeared multiple times, most recently in 2017 when security researchers discovered that at least 8 IT suppliers and open projects were susceptible to a variation of the original Bleichenbacher attack, which they dubbed “Robot.”
In an article by Cario, it is mentioned that Bleichenbacher-style attacks on the RSA protocol are still possible and that vulnerable implementations are widespread. Cario named his attack “Marvin.” Essentially, by sending specifically crafted RSA ciphers to a server that uses PKCS#1 v1.5 and measuring the time required to process the messages, attackers can ultimately read the target’s plaintext.
Cario recommends discontinuing the use of RSA PKCS#1 v1.5 encryption since only RSA encryption servers are affected. He states that most modern clients rely on Elliptic Curve Diffie Hellman.
Cario has identified at least 7 affected implementations, some of which have confirmed the necessary fixes. However, in Cario’s opinion, most cryptographic implementations of RSA PKCS#1 v1.5 remain vulnerable.
Here are the impacted products:
- Openssl (TLS level) – Oracle synchronization in RSA (CVE-2022-4304)
- Openssl (API level) – Making the RSA API safe for use with filling PKCS#1 v1.5 (no CVE assigned)
- Gnutls (TLS level) – The vulnerability is related to the difference in response time between incorrect RSA ciphers in Clientkeyexchange and ciphers with the correct PKCS#1 v1.5 filling (CVE-2023-0361)
- NSS (TLS level) – Constant time in RSA operations has been improved, but the fix in version 3.61 is incomplete, leaving