Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crypt-OpenSSL-RSA vulnerable to the Marvin Attack #42

Open
tomato42 opened this issue Mar 12, 2024 · 1 comment
Open

Crypt-OpenSSL-RSA vulnerable to the Marvin Attack #42

tomato42 opened this issue Mar 12, 2024 · 1 comment

Comments

@tomato42
Copy link

tomato42 commented Mar 12, 2024
edited
Loading

I've tried contacting the maintainer directly over the email twice, but received no reply for two weeks now, as such, I'm filing a public issue.

I've tested the rsa->decrypt() API with PKCS#1v1.5 padding and have verified that it is vulnerable to the Marvin Attack.

There is a clear side-channel that depends on the correctness of the PKCS#1 v1.5 padding.

When executing the attached reproducer with current OpenSSL 3.0 branch (openssl-3.0.13), on an i9-12900KS with extensive tuning, analysing 100 thousand decryptions per sample I got the following result:

Sign test mean p-value: 0.2109, median p-value: 0.02162, min p-value: 0.0
Friedman test (chisquare approximation) for all samples
p-value: 0.0
Worst pair: 1(no_header_with_payload_48), 6(valid_48)
Mean of differences: -5.95866e-07s, 95% CI: -8.33062e-07s, -3.422477e-07s (±2.454e-07s)
Median of differences: -3.64000e-07s, 95% CI: -3.67000e-07s, -3.610000e-07s (±3.000e-09s)
Trimmed mean (5%) of differences: -3.63660e-07s, 95% CI: -3.66392e-07s, -3.607752e-07s (±2.808e-09s)
Trimmed mean (25%) of differences: -3.63709e-07s, 95% CI: -3.66622e-07s, -3.608409e-07s (±2.890e-09s)
Trimmed mean (45%) of differences: -3.63951e-07s, 95% CI: -3.67040e-07s, -3.610646e-07s (±2.988e-09s)
Trimean of differences: -3.64000e-07s, 95% CI: -3.66750e-07s, -3.612500e-07s (±2.750e-09s)
Layperson explanation: Definite side-channel detected, implementation is VULNERABLE

The explanation of the ciphertext names are in the marvin-toolkit repo

The issue is most likely caused by the interface raising an exception here:

Crypt-OpenSSL-RSA/RSA.xs

Lines 221 to 231 in 01fe9b7

to_length = p_crypt(
from_length, from, (unsigned char*) to, p_rsa->rsa, p_rsa->padding);
if (to_length < 0)
{
Safefree(to);
CHECK_OPEN_SSL(0);
}
sv = newSVpv(to, to_length);
Safefree(to);
return sv;

Detailed results (explanation how to interpret them):
conf_interval_plot_trim_mean_45
legend.csv
report.csv

Reproducer: https://github.com/tomato42/marvin-toolkit/tree/master/example/perl-Crypt-OpenSSL-RSA
@tomato42
Copy link
Author

This issue was assigned CVE-2024-2467.

briandfoy added a commit to briandfoy/cpan-security-advisory that referenced this issue Apr 30, 2024
@briandfoy
CVE-2024-2467 for Crypt-OpenSSL-RSA (toddr/Crypt-OpenSSL-RSA#42)
5cd4ca9
@dkg dkg mentioned this issue Oct 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tomato42