Security News > 2023 > October > New Marvin attack revives 25-year-old decryption flaw in RSA

New Marvin attack revives 25-year-old decryption flaw in RSA
2023-10-01 14:16

Using standard hardware, the researchers demonstrated that executing the Marvin Attack within just a couple of hours is possible, proving its practicality.

The Marvin Attack does not have a corresponding CVE despite highlighting a fundamental flaw in RSA decryption, mainly how padding errors are managed, due to the variety and complexity of individual implementations.

While the Marvin Attack is a conceptual flaw, there isn't a singular fix or patch that can be applied universally, and the problem manifests differently on each project due to their unique codebases and RSA decryption implementation.

Simply disabling RSA does not mean you're safe, warns the Q&A section of Marvin Attack's page.

Finally, Red Hat warns that FIPS certification does not guarantee protection against the Marvin Attack, except for Level 4 certification, which ensures good resistance to side-channel attacks.

Although there have been no apparent signs of Marvin Attack being used by hackers in the wild, disclosing the details and parts of the tests and fuzzing code increases the risk of that happening shortly.


News URL

https://www.bleepingcomputer.com/news/security/new-marvin-attack-revives-25-year-old-decryption-flaw-in-rsa/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
RSA 12 0 46 18 3 67