CVE-2024-2408 - PHP's openssl_private_decrypt and the Hidden Risk Behind the Marvin Attack

A new vulnerability tracked as CVE-2024-2408 has come to light, affecting the way PHP handles decryption using its openssl_private_decrypt() function with PKCS1 padding (OPENSSL_PKCS1_PADDING—the default). This issue exposes your PHP applications to the so-called Marvin Attack unless OpenSSL is updated to include crucial security changes.

Let’s break down why this is a big deal, see some code you might use, and explain how to keep your apps safe.

Why Should You Care About the Marvin Attack?

The Marvin Attack is a cryptographic attack that cleverly exploits padding oracles in RSA PKCS#1 v1.5 decryption. In simple English, if a system responds differently when decryption fails versus when it succeeds, attackers can gradually guess the original data—potentially leaking secrets like login tokens, session keys, or even private messages.

The root cause here is that PHP’s openssl_private_decrypt() would, under certain conditions, allow attackers to use these subtle differences as an "oracle," a clue that can be repeatedly probed to eventually uncover your secrets.

The OpenSSL Fix: rsa_pkcs1_implicit_rejection

The real fix comes from a change made in OpenSSL, specifically with pull request #13817, which introduces "rsa_pkcs1_implicit_rejection." This makes the RSA decryption padding handling much less talkative—so attackers can’t learn anything useful by just listening and poking.

These changes are included in OpenSSL 3.2 and have been backported to many stable Linux distributions, plus they are now part of the official PHP for Windows builds (since PHP 8.1.29, 8.2.20, and 8.3.8).

Who Is Affected?

- Anyone running PHP code that calls openssl_private_decrypt() with default settings (PKCS1 padding).
- Your server is at risk unless the version of OpenSSL you use contains the fix from #13817—either by running OpenSSL 3.2+ or patched older builds.
- If you are on Windows: Make sure you’re at least on PHP 8.1.29 / 8.2.20 / 8.3.8 (or newer).
- On Linux/Unix: Make sure your distribution’s OpenSSL has the backported patch.

Here’s a typical usage of the potentially-vulnerable function

// Imagine this runs on your web server, e.g., in an API endpoint
$privateKey = openssl_pkey_get_private(file_get_contents('/path/to/private.pem')); 
$encryptedData = base64_decode($_POST['data']);

// This is the vulnerable line if your OpenSSL isn't patched!
if (openssl_private_decrypt($encryptedData, $decrypted, $privateKey)) {
    echo "Decoded: $decrypted";
} else {
    echo "Error!";
}

How does the exploit work?
Attackers send a bunch of carefully crafted $encryptedData blocks and watch the API's response to each one. If the server clues them in (even just by error timing or responses), they can slowly deduce the original message—this is the core of the padding oracle / Marvin Attack.

On Linux, run

openssl version

Is it 3.2 or higher? Or does your distribution say it has "rsa_pkcs1_implicit_rejection"?
Check your distro’s security notes!

On Windows, make sure you’re running at least PHP 8.1.29, 8.2.20, or 8.3.8.

Remember: Updating only PHP is not enough if your OS-level OpenSSL is still old!

Linux: Use your package manager to update OpenSSL.

  sudo apt upgrade openssl
  # or
  sudo dnf upgrade openssl
  

- Windows: Download the latest PHP build from the official website that bundles the safe OpenSSL DLLs.

3. If You Can’t Update Immediately

- Consider switching your code to use OAEP padding (OPENSSL_PKCS1_OAEP_PADDING), which is not vulnerable to this class of attack:

if (openssl_private_decrypt($encryptedData, $decrypted, $privateKey, OPENSSL_PKCS1_OAEP_PADDING)) {

// ...
}
<br> <b>Warning:</b> Your clients must encrypt using the same padding!<br><br>---<br><br>## References and More Reading<br><br>- OpenSSL Pull Request #13817 ("rsa_pkcs1_implicit_rejection")<br>- PHP Bug report<br>- Timeline and details at NIST NVD for CVE-2024-2408<br>- Marvin Attack Explained (PDF)<br><br>---<br><br>## Final Words: What Should You Do?<br><br>- <b>Double check your PHP and OpenSSL versions today.</b><br>- Update both if needed (especially if you self-compile PHP, or have an old Linux server).<br>- Consider auditing any code using openssl_private_decrypt()` just to be sure.
- Don’t ignore this: Even if your app seems unimportant, attackers absolutely automate scanning for this kind of vulnerability!

If you’re a developer, sysadmin, or just gearing up a new server—make it a checklist item to confirm your crypto libraries are *really* up to date. When it comes to cryptography, details matter.

Stay safe and patch up!

---

*(This post is an exclusive, plain-English breakdown for everyday developers. Please share with your team or friends to keep the PHP community secure!)*

Timeline

Published on: 06/09/2024 20:15:09 UTC
Last modified on: 06/13/2024 04:15:16 UTC