Skip to content

Marvin Attack: potential key recovery through timing sidechannels

Moderate severity GitHub Reviewed Published Nov 28, 2023 to the GitHub Advisory Database • Updated Dec 14, 2023

Package

cargo rsa (Rust)

Affected versions

<= 0.9.6

Patched versions

None

Description

The Marvin Attack is a timing sidechannel vulnerability which allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed withthe private key.

A recent survey of RSA implementations found that the Rust rsa crate is one of many implementations vulnerable to this attack.

No fixed version is available at this time.

References

Published to the GitHub Advisory Database Nov 28, 2023
Reviewed Nov 28, 2023
Last updated Dec 14, 2023

Severity

Moderate
5.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-4grx-2x9w-596c

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.