Crypt-OpenSSL-RSA vulnerable to the Marvin Attack

[tomato42]

I've tried contacting the maintainer directly over the email twice, but received no reply for two weeks now, as such, I'm filing a public issue.

I've tested the rsa->decrypt() API with PKCS#1v1.5 padding and have verified that it is vulnerable to the Marvin Attack.

There is a clear side-channel that depends on the correctness of the PKCS#1 v1.5 padding.

When executing the attached reproducer with current OpenSSL 3.0 branch (openssl-3.0.13), on an i9-12900KS with extensive tuning, analysing 100 thousand decryptions per sample I got the following result:

Sign test mean p-value: 0.2109, median p-value: 0.02162, min p-value: 0.0
Friedman test (chisquare approximation) for all samples
p-value: 0.0
Worst pair: 1(no_header_with_payload_48), 6(valid_48)
Mean of differences: -5.95866e-07s, 95% CI: -8.33062e-07s, -3.422477e-07s (±2.454e-07s)
Median of differences: -3.64000e-07s, 95% CI: -3.67000e-07s, -3.610000e-07s (±3.000e-09s)
Trimmed mean (5%) of differences: -3.63660e-07s, 95% CI: -3.66392e-07s, -3.607752e-07s (±2.808e-09s)
Trimmed mean (25%) of differences: -3.63709e-07s, 95% CI: -3.66622e-07s, -3.608409e-07s (±2.890e-09s)
Trimmed mean (45%) of differences: -3.63951e-07s, 95% CI: -3.67040e-07s, -3.610646e-07s (±2.988e-09s)
Trimean of differences: -3.64000e-07s, 95% CI: -3.66750e-07s, -3.612500e-07s (±2.750e-09s)
Layperson explanation: Definite side-channel detected, implementation is VULNERABLE

The explanation of the ciphertext names are in the marvin-toolkit repo

The issue is most likely caused by the interface raising an exception here: https://github.com/toddr/Crypt-OpenSSL-RSA/blob/01fe9b73040838f63981af879e4f36a7e299b97c/RSA.xs#L221-L231

Detailed results (explanation how to interpret them): legend.csv report.csv

Reproducer: https://github.com/tomato42/marvin-toolkit/tree/master/example/perl-Crypt-OpenSSL-RSA

[tomato42]

This issue was assigned CVE-2024-2467.