Mozilla Foundation Security Advisory 2023-53

Timing side-channel in PKCS#1 v1.5 decryption depadding code

Announced

December 12, 2023

Impact

moderate

Products

NSS

Fixed in

NSS 3.61

Although this issue was embargoed until 2023, it was fixed in NSS 3.61 as released on January 22, 2021

#CVE-2023-4421: Timing side-channel in PKCS#1 v1.5 decryption depadding code

Reporter: Hubert Kario
Impact: moderate

Description

The NSS code used for checking PKCS#1 v1.5 was leaking information useful in mounting Bleichenbacher-like attacks. Both the overall correctness of the padding as well as the length of the encrypted message was leaking through timing side-channel. By sending large number of attacker-selected ciphertexts, the attacker would be able to decrypt a previously intercepted PKCS#1 v1.5 ciphertext (for example, to decrypt a TLS session that used RSA key exchange), or forge a signature using the victim's key. The issue was fixed by implementing the implicit rejection algorithm, in which the NSS returns a deterministic random message in case invalid padding is detected, as proposed in the Marvin Attack paper.

References

Bug 1651411

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice