In February 2024, a critical vulnerability was disclosed in the popular JavaScript cryptography library jsrsasign. Within versions before 11.., attackers can break the confidentiality of RSA-encrypted data due to an issue called Observable Discrepancy, specifically when using PKCS1.5 or RSAOAEP decryption. The technical heart of this attack exploits the Marvin Flaw, letting hackers decrypt data if they possess enough ciphertexts encrypted under the same key.
In this article, I'll break down how this works, show an example, provide real-world guidance, and link you to the official details.
What Is the Marvin Flaw and Observable Discrepancy?
The Marvin Flaw refers to a side-channel vulnerability where cryptographic routines behave differently—often by leaking timing, errors, or other observable cues—depending on input data. In the case of jsrsasign, attackers can observe discrepancies during RSA decryption to learn about the key or plaintext. This falls under the broader class of padding oracle attacks.
Why is This Vulnerable in jsrsasign?
In versions before 11.., jsrsasign internally processes PKCS1.5 and OAEP decryption in a way that leaks subtle differences when decrypting malformed or manipulated ciphertexts. If a hacker submits thousands (or more) of crafted ciphertexts to a system—provided they're encrypted under the same key—they can “observe” enough discrepancies to eventually decrypt messages *without the private key*.
Suppose you have a server that uses jsrsasign (v10.7.) for RSA OAEP decryption
const { KJUR, KEYUTIL } = require('jsrsasign');
// Private key object (usually loaded from file)
const privKey = KEYUTIL.getKey(privateKeyPEM);
function decrypt(ciphertextB64) {
return KJUR.crypto.Cipher.decrypt(
ciphertextB64,
privKey,
'RSAOAEP'
);
}
The Exploitation Scenario
1. Attacker collects access to this API/function (like via a web service).
2. They send massive numbers of specifically crafted ciphertexts, some of which will be malformed *just right*.
3. The server, powered by vulnerable jsrsasign, may respond slightly differently to different ciphertexts (different error messages, timing, or even just returning undefined for some errors and an empty string for others).
4. Attacker records and analyzes all responses — over time, this data narrows possible plaintext values, until the real message is decrypted.
Minimal Exploit PoC (Pseudocode)
const ciphertexts = generateCraftedCiphertexts(targetCiphertext);
ciphertexts.forEach(async (cipher) => {
let response = await fetch('https://target/api/decrypt';, {
method: 'POST',
body: JSON.stringify({ data: cipher }),
headers: {'Content-Type': 'application/json'}
});
let out = await response.json();
recordObservableBehavior(out, response.status, response.headers);
// Compare how outputs vary based on the crafted ciphertext
});
While a full attack needs many more details (including deep crypto knowledge), even subtle differences in out—errors, response times, etc.—can leak enough information for a patient attacker.
Official References
- NVD CVE-2024-21484 Entry
- jsrsasign Release Notes for 11..
- Marvin Attack Background Paper
How Can You Fix or Work Around This?
Patch Now:
Upgrade jsrsasign to 11.. or later immediately!
Identify all places you're using KJUR.crypto.Cipher.decrypt with 'RSA' or 'RSAOAEP'.
- Temporarily replace with another well-reviewed crypto library (such as node-forge or crypto), since they don’t expose this behavior.
Example Switch to Node’s Native Crypto
const crypto = require('crypto');
function safeDecrypt(ciphertext, privateKey) {
return crypto.privateDecrypt(
{
key: privateKey,
padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
},
Buffer.from(ciphertext, 'base64')
).toString();
}
Conclusion
CVE-2024-21484 in jsrsasign is a real threat if your app decrypts untrusted ciphertexts, especially if you use the library in REST APIs or online services. Attackers leveraging the Marvin flaw can eventually break your encryption—even without breaking the RSA algorithm itself—just by watching your system’s subtle behavioral quirks.
Action Item:
Check your dependencies, patch now, and never let your cryptography library become the weak link!
More Links
- jsrsasign GitHub
- Explaining Padding Oracle Attacks (OWASP)
Timeline
Published on: 01/22/2024 05:15:08 UTC
Last modified on: 03/06/2024 14:15:47 UTC