GHSA-4grx-2x9w-596c: Marvin Attack: potential key recovery through timing sidechannels

November 28, 2023 (updated December 14, 2023)

The Marvin Attack is a timing sidechannel vulnerability which allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed withthe private key.

A recent survey of RSA implementations found that the Rust rsa crate is one of many implementations vulnerable to this attack.

No fixed version is available at this time.

References

github.com/RustCrypto/RSA
github.com/RustCrypto/RSA/issues/19
github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr
github.com/advisories/GHSA-4grx-2x9w-596c
rustsec.org/advisories/RUSTSEC-2023-0071.html

Code Behaviors & Features

Detect and mitigate GHSA-4grx-2x9w-596c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →