Marvin Attack: 25-year-old RSA Decryption Vulnerability Disclosed

A new type of vulnerability in the software implementation of PKCS#1 v1.5 padding scheme for RSA key exchange, which was previously confirmed to be susceptible, has been discovered and still can be exploited. This attack has been named as “Marvin Attack”.

This vulnerability was first discovered by a Swiss cryptographer, Bleichenbacher, in 1998. According to the attack, an SSL/TLS server client can use server error responses to learn about the padding to decrypt the protected message.


However, after many years, this vulnerability resurfaced in 2017 when security researchers identified more than eight IT vendors and open-source projects that were found to be vulnerable to a variation of the original attack.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Marvin Attack

Several CVEs have been assigned based on the implementation of the PKCS#1 v1.5. Threat actors can use the “Marvin Attack” to decrypt RSA ciphertexts, forge signatures, and even decrypt sessions recorded on a vulnerable TLS server.

In addition, reports also indicate that this vulnerability is not just limited to RSA but extends to almost all of the asymmetric cryptographic algorithms that are susceptible to side-channel attacks.

ImplementationDescriptionCVE IDSeverity
OpenSSL (TLS level)Timing Oracle in RSA DecryptionCVE-2022-43045.9
OpenSSL (API level)Make RSA decryption API safe to use with PKCS#1 v1.5 paddingno CVEN/A
GnuTLS (TLS level)A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.CVE-2023-03617.4
NSS (TLS level)A vulnerability was found that the response times to malformed RSA ciphertexts in ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding.CVE-2023-4421N/A
pyca/cryptographyAttempt to mitigate Bleichenbacher attacks on RSA decryption; ineffective, requires OpenSSL level fix insteadCVE-2020-256595.9
M2CryptoMitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657); ineffective, requires OpenSSL level fix insteadCVE-2020-256575.9
OpenSSL-ibmcaConstant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0no CVEN/A

Source: RedHat

“We would consider any use of generic PKCS#1 v1.5 API that doesn’t use the Marvin workaround internally to be a case of CWE-242 (“Use of Inherently Dangerous Function”) and, without a verified side-channel free code on the calling side, an automatic vulnerability for the calling code.” reads the paper published by the researchers.

The complete research paper has been published by RedHat, which details the threat vector, attack pattern, and additional information about this vulnerability.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.