CVE-2023-6935 in wolfSSL (Marvin Attack)
Summary
by MITRE • 02/10/2024
wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure:
--enable-all CFLAGS="-DWOLFSSL_STATIC_RSA"
The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.6. Therefore the default build since 3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack. The vulnerability is specific to static RSA cipher suites, and expected to be padding-independent.
The vulnerability allows an attacker to decrypt ciphertexts and forge signatures after probing with a large number of test observations. However the server’s private key is not exposed.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/14/2024
The vulnerability identified as CVE-2023-6935 affects wolfSSL's SP Math implementation across all RSA cryptographic operations, representing a significant security flaw that falls under the category of timing attacks. This particular vulnerability manifests as the Marvin Attack, a novel variation of the well-known Bleichenbacher attack that exploits timing differences in cryptographic operations to infer sensitive information. The attack specifically targets implementations that utilize static RSA cipher suites, which are enabled through the configuration option "--enable-all" combined with the CFLAGS definition "WOLFSSL_STATIC_RSA". The vulnerability demonstrates the ongoing challenges in cryptographic implementation security where timing variations can leak information about private key operations even when the key itself remains protected.
The technical flaw resides in the timing behavior of RSA operations within wolfSSL's software-based mathematical library, where the execution time of cryptographic operations varies based on the input data, particularly during padding validation processes. This timing variation creates observable patterns that an attacker can exploit through statistical analysis of multiple cryptographic operations. The Marvin Attack operates by carefully crafting ciphertexts and measuring response times to determine the validity of padding, ultimately allowing attackers to decrypt messages without possessing the private key. This vulnerability specifically impacts the RSA implementation within wolfSSL's SP Math module, which handles the mathematical computations for RSA operations. The attack requires extensive probing with numerous test observations, indicating the sophistication of the exploitation method and the computational resources needed for successful implementation.
The operational impact of this vulnerability extends beyond simple data confidentiality breaches, as it enables sophisticated attacks that can compromise the integrity of cryptographic systems. While the private key itself remains protected from direct exposure, the ability to forge signatures and decrypt ciphertexts represents a serious threat to system security. The vulnerability affects systems that have explicitly configured wolfSSL with static RSA cipher suites, which were deprecated in version 3.6.6 due to security concerns. Organizations using older versions or those that have manually enabled static RSA support through configuration options face potential risk. The attack's padding independence means it can work across various padding schemes, increasing the attack surface and making it more challenging to defend against through simple padding scheme changes. This vulnerability directly relates to CWE-310, which covers cryptographic issues related to timing attacks and information leakage through timing variations.
Mitigation strategies for CVE-2023-6935 primarily focus on configuration changes and version upgrades. The most effective immediate solution involves disabling static RSA cipher suites by removing the WOLFSSL_STATIC_RSA define from build configurations, which is the default behavior in wolfSSL versions 3.6.6 and later. Organizations should upgrade to the latest wolfSSL versions that have addressed this vulnerability and removed static RSA support by default. System administrators should review all build configurations to ensure that static RSA cipher suites are not enabled unless absolutely necessary for legacy compatibility. Additionally, implementing proper timing attack mitigations such as constant-time operations and random delays in cryptographic processing can help reduce the attack surface. Network monitoring should be enhanced to detect unusual patterns of cryptographic requests that might indicate probing activity. The vulnerability also highlights the importance of following security best practices regarding cipher suite selection and the avoidance of deprecated cryptographic features. This aligns with ATT&CK technique T1592, which involves reconnaissance techniques to identify cryptographic implementations that may be vulnerable to timing attacks, and T1587, which covers the development of capabilities for cryptographic attacks. Organizations should also consider implementing cryptographic agility and regularly reviewing their cryptographic implementations against current security standards and threat models.