CVE-2024-0202 in cryptlib (Marvin Attack)
Summary
by MITRE • 02/05/2024
A security vulnerability has been identified in the cryptlib cryptographic library when cryptlib is compiled with the support for RSA key exchange ciphersuites in TLS (by setting the USE_RSA_SUITES define), it will be vulnerable to the timing variant of the Bleichenbacher attack. An attacker that is able to perform a large number of connections to the server will be able to decrypt RSA ciphertexts or forge signatures using server's certificate. THIS CVE ID IS CURRENTLY DISPUTED - MAINTAINER NOTE: There are only two situations where it's enabled, one is for fuzz-testing to exercise code paths that wouldn't otherwise be available, the other is for static source code analysis with tools like Coverity and Prefast, again to open up code paths that otherwise wouldn't be available. It can also be enabled manually in two specific test builds just to make sure the code still compiles OK, to avoid bit rot and verify that the fuzz-testing build will compile without errors.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/16/2026
The CVE-2024-0202 vulnerability resides within the cryptlib cryptographic library, specifically when compiled with RSA key exchange ciphersuites in TLS support. This represents a critical timing-based cryptographic weakness that exposes systems to sophisticated attack vectors. The vulnerability manifests when the USE_RSA_SUITES define is enabled during compilation, creating an unintended code path that enables the timing variant of the Bleichenbacher attack. This attack exploits timing variations in cryptographic operations to gradually recover secret information, making it particularly dangerous in TLS environments where RSA key exchange is implemented.
The technical flaw stems from insufficient constant-time implementation of RSA operations within the cryptlib library when RSA ciphersuites are enabled. The timing variant of the Bleichenbacher attack capitalizes on the differential timing characteristics of modular exponentiation operations during RSA decryption or signature verification. When an attacker can observe and measure these timing variations across numerous connection attempts, they can reconstruct the private key components or forge digital signatures. This vulnerability directly relates to CWE-327, which addresses broken or weak cryptographic algorithms, and specifically targets the weakness of using non-constant-time cryptographic implementations. The attack requires significant computational resources and time to execute successfully, typically involving thousands of connection attempts to gather sufficient timing data for cryptanalysis.
The operational impact of this vulnerability extends beyond simple data confidentiality breaches to encompass certificate forgery and complete cryptographic compromise. Servers utilizing the affected cryptlib version with RSA ciphersuites enabled become vulnerable to attackers who can perform extensive connection testing to extract cryptographic keys or forge signatures that would otherwise be computationally infeasible. This compromise undermines the fundamental security assurances provided by RSA-based TLS implementations and can lead to man-in-the-middle attacks, session hijacking, and unauthorized certificate issuance. The vulnerability affects systems where the library is compiled with the specific USE_RSA_SUITES flag, making it particularly concerning for environments that require extensive testing or static analysis tool integration.
Security mitigations for this vulnerability primarily focus on avoiding the problematic compilation flag in production environments. The maintainers have explicitly noted that the USE_RSA_SUITES define is only intended for specific testing scenarios including fuzz-testing and static analysis tools like Coverity and Prefast. Organizations should ensure that production deployments do not compile the library with this flag enabled, as the vulnerability only manifests in these controlled test environments. Additionally, system administrators should verify their deployment configurations and remove any manual enabling of the RSA suites flag in non-testing builds. The vulnerability's disputed status reflects the library maintainers' awareness that it only affects specific build configurations designed for development and testing purposes rather than production deployments, aligning with ATT&CK technique T1552.004 which covers credentials from password storage providers and the broader category of cryptographic attacks targeting implementation weaknesses.
The broader implications of this vulnerability highlight the importance of careful code path management in cryptographic libraries. Modern cryptographic implementations must ensure that all operations execute in constant time to prevent timing-based side-channel attacks, a principle that directly relates to CWE-327's emphasis on using strong cryptographic algorithms and proper implementation practices. The vulnerability serves as a reminder that even well-established cryptographic libraries can contain implementation-specific weaknesses that only manifest under specific compilation conditions. Organizations should implement comprehensive testing procedures that verify both functional correctness and security properties across all build configurations, particularly when using libraries that support multiple operational modes or testing scenarios. This case demonstrates the critical need for security-aware compilation practices and the importance of understanding the security implications of various build flags and configuration options in cryptographic software deployments.