Security News > 2023 > September > ROBOT crypto attack on RSA is back as Marvin arrives
In a paper titled, "Everlasting ROBOT: the Marvin Attack," Hubert Kario, senior quality engineer on the QE BaseOS Security team at Red Hat, shows that many software implementations of the PKCS#1 v1.5 padding scheme for RSA key exchange that were previously deemed immune to Daniel Bleichenbacher's widely known attack are vulnerable.
"For TLS hosts that use forward secure ciphersuites, the attacker would have to perform a massively parallel attack to forge a server signature before a client would time out during the connection attempt. That makes the attack hard, but not impossible."
Kario's paper describes a practical attack on the M2Crypto library using 1024 bit RSA keys on a Lenovo T480s, Intel i7-8650U that was able to decrypt RSA ciphertext in 163,000 oracle calls that tested padding conformance.
"For an attacker that can get access to a host connected to the same network switch as the victim, a worst case scenario would require a few days to perform the attack against a vulnerable version of OpenSSL and a couple of hours to attack NSS," the paper says.
Affected implementations OpenSSL Timing Oracle in RSA Decryption CVE-2022-4304 OpenSSL Make RSA decryption API safe to use with PKCS#1 v1.5 padding No CVE GnuTLS A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
Released in 3.61; significant improvement, but not a complete fix, remains vulnerable CVE-2023-4421 pyca/cryptography Attempt to mitigate Bleichenbacher attacks on RSA decryption; ineffective, requires OpenSSL level fix instead CVE-2020-25659 M2Crypto Mitigate the Bleichenbacher timing attacks in the RSA decryption API; ineffective, requires OpenSSL level fix instead CVE-2020-25657 OpenSSL-ibmca Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0 No CVE. APIs in Go and GNU MP were also found to have errors that made them susceptible to timing attacks.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/09/26/robot_marvin_rsa/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-12 | CVE-2023-4421 | Information Exposure Through Discrepancy vulnerability in Mozilla NSS The NSS code used for checking PKCS#1 v1.5 was leaking information useful in mounting Bleichenbacher-like attacks. | 6.5 |
| 2023-02-08 | CVE-2022-4304 | Information Exposure Through Discrepancy vulnerability in multiple products A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. | 5.9 |
| 2021-01-12 | CVE-2020-25657 | Covert Timing Channel vulnerability in multiple products A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. | 5.9 |
| 2021-01-11 | CVE-2020-25659 | python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. | 5.9 |