CVE CyberSecurity Database News

CVE-2023-5981 - Timing Attack on RSA-PSK ClientKeyExchange Reveals PKCS#1 Padding Oracles

Poster -

In November 2023, a critical vulnerability dubbed CVE-2023-5981 was disclosed. This bug affects systems using RSA-PSK (Pre-Shared Key) modes of the TLS (Transport Layer Security) protocol. Specifically, it arises from the way some servers handle RSA-PSK ClientKeyExchange messages: when a client sends an RSA-encrypted message with bad PKCS#1 v1.5 padding, the server’s response time is measurably different compared to messages with valid padding.

While subtle, this tiny difference lets attackers use so-called timing side-channel attacks to probe the server’s responses and eventually recover secret information—like decrypting past TLS sessions or breaking into encrypted traffic.

Let’s break it down in simple terms, explore the core exploit, and see hands-on code and resources for more learning.

The Crypto Flow

- TLS with RSA-PSK: The client sends a secret pre-master key, encrypted using the server’s RSA public key.
- Before using the decrypted data, the server checks whether the padding format is correct (PKCS#1 v1.5).

vs

- *Incorrect/malformed padded data*

...then someone who can measure this difference can methodically guess the padding of the decrypted message.

How Attackers Exploit the Timing Oracle

1. Send many ClientKeyExchange messages: Some are valid, some have intentionally malformed PKCS#1 padding.

If there’s a consistent, measurable timing difference, the attacker uses that as a "yes/no" signal

- "Yes, padding is correct": fast/slow response.

"No, padding is bad": opposite timing.

They automate this process to recover the correct plaintext block by block (using something like Bleichenbacher’s padding oracle attack, which has been around since the late 199s).

Demo: How a Timing Oracle Can Be Measured

Let’s look at a Python snippet (pseudo-code for simplicity) to measure server response time to different ClientKeyExchange ciphertexts.

import time
import socket

def send_client_key_exchange(server_addr, crafted_ciphertext):
    s = socket.socket()
    s.settimeout(2)
    s.connect(server_addr)
    # Handshake up to ClientKeyExchange...
    # Send crafted RSA-encrypted pre-master secret
    start = time.perf_counter()
    s.sendall(crafted_ciphertext)
    try:
        data = s.recv(1024)
    except socket.timeout:
        data = b''
    elapsed = time.perf_counter() - start
    s.close()
    return elapsed, data

# Suppose we have a set of test ciphertexts:
ciphertexts = [ciphertext1, ciphertext2, ...]  # some valid, some invalid

results = []
for c in ciphertexts:
    t, _ = send_client_key_exchange(("target_server", 443), c)
    results.append( (c, t) )

# Print out and compare timings
for c, t in results:
    print(f"Ciphertext {c[:8]}...: {t:.4f}s")

With enough samples, you’ll often see two timing "clusters":

Invalid Padding: Consistently different response time.

The attacker uses this “oracle” to piece together the expected PKCS#1 padding and ultimately decrypt messages.

Original Advisory:

https://nvd.nist.gov/vuln/detail/CVE-2023-5981

Timing Attacks on PKCS#1:

- Practical padding oracle attacks (Ivan Ristic)
- Bleichenbacher’s original paper (PDF)

Mitigation in OpenSSL:

OpenSSL news and security updates

Technical write-up & exploit code:

CVE-2023-5981, oss-security post

Real-World Impact

- Many major TLS libraries (including OpenSSL and forks) acknowledged and patched this bug in late 2023.
- Services using RSA-PSK modes—although less common today—were especially vulnerable if not patched.
- Attackers on the same network (local or wi-fi) could realistically fire off large numbers of test connections and, with patience, decrypt secret session keys.

Patch and Remediation

- Update your libraries: Always use the latest versions of OpenSSL, GnuTLS, and other TLS libraries.
- Avoid RSA-PSK: Modern configurations should use key exchange methods like ECDHE, which don’t have this class of padding oracle risk.
- Constant-time cryptography: Good libraries go out of their way not to leak information through timing differences.

Summary

CVE-2023-5981 is a reminder that even decades-old cryptographic missteps can still surface in modern infrastructure—especially where old-style RSA encryption and padding are lurking.

Always monitor upstream advisories for security fixes.

Stay safe!
For more info, check the references above and make sure your code is never leaking secrets—no matter how small the timing difference.


*This post is original content for your review. Please consult authoritative docs for your environment's specifics.*

Timeline

Published on: 11/28/2023 12:15:07 UTC
Last modified on: 02/09/2024 03:15:09 UTC