Bug 2255127 (CVE-2023-50979)

Summary: CVE-2023-50979 cryptopp: side-channel leakage during decryption with PKCS#1v1.5 padding (Marvin)
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A security flaw was discovered in Crypto++ (cryptopp). This issue may allow a remote attacker to decrypt captured messages in TLS servers, which may lead to exposure of confidential or sensitive data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2255128, 2255129    
Bug Blocks: 2255124    

Description Robb Gatica 2023-12-18 19:27:28 UTC 
Reference: https://github.com/weidai11/cryptopp/issues/1247

-----
Crypto++ Issue Report

I've verified that the Crypto++ is vulnerable to the Marvin Attackā€”a timing variant of the well-known Bleichenbacher attack.

I've executed the test on ArchLinux, using crypto++ 8.9.0 from the Arch repository.
The reproducer is available in the marvin-toolkit repository. It was compiled with a simple g++ -o time_decrypt -lcryptopp time_decrypt.cpp.

When executed on AMD Ryzen 5 5600X, I'm able to detect a side-channel signal when performing decryption with PKCS#1 v1.5 padding. The results are statistically significant with just few hundred measurement pairs, but below I'm showing results of a run with 100k repeats to show the size of the side-channel more clearly.
Comment 1 Robb Gatica 2023-12-18 19:36:39 UTC 
Created cryptopp tracking bugs for this issue:

Affects: epel-all [bug 2255128]
Affects: fedora-all [bug 2255129]