Closed tomato42 closed 8 months ago
@tomato42 , thank you for your report. I'll investigate and try to fix it.
Hi @tomato42 , I've just released jsrsasign 11.0.0. RSA and RSAOAEP encryption/decryption functions have been removed. I'm talking with Synk for CVE number coordination and I'll publish security advisory for it. Thank you.
Its security advisory is published. https://github.com/kjur/jsrsasign/security/advisories/GHSA-rh63-9qcf-83gf
(Since I haven't found a security policy that would ask for filing security issues over email, I'm making a regular bug report)
I've tested jsrsasign 10.8.6 on nodejs 21.1.0 and I have found it vulnerable to the Marvin Attack.
Looking at the results, both the bit size of the raw RSA decryption is leaking (so all padding modes will be vulnerable, both PKCS#1 v1.5 and OAEP), and in case of PKCS#1 v1.5 the size of the decrypted message is leaking. As such, it provides timing oracles useful in mounting a timing variant of the Bleichenbacher attack.
I've collected 10000 measurements per sample on an isolated core of an AMD Ryzen 5 5600X. The test returned statistically significant results even with 100 measurements per sample, I've executed with with 10000 to look for side channels other then the bit size of the raw RSA operation. That means that the returned p-values are 0, as they are smaller in reality than a double precision floating point numbers can represent. For 100k measurements the summary looks as follows:
and the confidence interval graph for the individual probes: Legend to the graph:
Explanation for the ciphertexts is in the step2.py file.
Side note: the
valid_246
probe is actually invalid, it has padding string of 7 bytes, which is less than the mandatory 8.The reproducer I used for the test:
It can be used in similar way as the python reproducer but in the extract step you need to additionally specify
--binary 4
.