CVE-2024-2408 Overview
CVE-2024-2408 is a timing-based side-channel vulnerability affecting the openssl_private_decrypt function in PHP. When using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), PHP applications become vulnerable to the Marvin Attack—a sophisticated cryptographic timing attack that can potentially allow attackers to decrypt RSA-encrypted messages or forge signatures by exploiting timing differences in cryptographic operations.
Critical Impact
This vulnerability enables network-based attackers to potentially recover plaintext from RSA-encrypted communications through timing analysis, compromising the confidentiality of encrypted data in affected PHP applications.
Affected Products
- PHP versions prior to 8.1.29
- PHP versions prior to 8.2.20
- PHP versions prior to 8.3.8
- Fedora 40
Discovery Timeline
- June 9, 2024 - CVE-2024-2408 published to NVD
- March 21, 2025 - Last updated in NVD database
Technical Details for CVE-2024-2408
Vulnerability Analysis
The Marvin Attack is a modern variant of the classic Bleichenbacher attack against RSA PKCS#1 v1.5 padding. The vulnerability exists because PHP's openssl_private_decrypt function, when using the default PKCS1 padding scheme, does not implement constant-time operations during the decryption process. This allows an attacker who can measure timing differences in decryption responses to gradually reconstruct the plaintext through adaptive chosen-ciphertext attacks.
The attack requires the ability to send multiple crafted ciphertexts to a vulnerable server and measure the time taken to process each request. By analyzing these timing variations, an attacker can determine whether the PKCS#1 padding is valid, effectively creating an oracle that leaks information about the decryption process. This weakness is classified under CWE-203 (Observable Discrepancy), which describes vulnerabilities where behavioral differences in an application can be observed and exploited.
Root Cause
The root cause of this vulnerability lies in the lack of implicit rejection functionality in older versions of OpenSSL used by PHP. Without the rsa_pkcs1_implicit_rejection feature introduced in OpenSSL pull request #13817, the RSA decryption implementation exhibits measurable timing differences based on padding validity. This timing side-channel persists because error handling paths for valid versus invalid padding take different amounts of time to execute, creating an observable discrepancy that attackers can exploit.
Attack Vector
The attack can be executed remotely over a network without requiring authentication or user interaction, though it demands high attack complexity due to the need for precise timing measurements and numerous oracle queries. An attacker must be able to:
- Send crafted RSA ciphertexts to a vulnerable PHP application
- Measure response times with sufficient precision
- Perform statistical analysis on timing data to distinguish valid from invalid padding
- Iteratively refine guesses to recover the plaintext
The attack mechanism leverages the mathematical relationship between PKCS#1 v1.5 padding validation and the underlying plaintext. By observing timing differences, attackers can determine boundary conditions that progressively narrow down the possible plaintext values. Applications using RSA encryption for session keys, authentication tokens, or other sensitive data are at risk of having this data recovered by patient attackers with network access.
Detection Methods for CVE-2024-2408
Indicators of Compromise
- Unusual patterns of repeated RSA decryption requests from the same source with varying ciphertext values
- High volume of failed decryption attempts against endpoints using openssl_private_decrypt
- Network traffic patterns showing systematic probing with incrementally modified ciphertext payloads
- Timing analysis showing statistical clustering of response times for decryption operations
Detection Strategies
- Monitor application logs for abnormal patterns of RSA decryption calls, particularly high-frequency requests from single sources
- Implement request rate limiting on endpoints that perform RSA decryption operations
- Deploy network intrusion detection rules to identify potential Marvin Attack patterns based on request timing and ciphertext variations
- Audit PHP applications to identify usage of openssl_private_decrypt with default PKCS1 padding
Monitoring Recommendations
- Enable detailed logging for cryptographic operations in PHP applications
- Configure security monitoring to alert on statistically significant timing variations in authentication or decryption endpoints
- Regularly audit PHP and OpenSSL versions across all systems to ensure patched versions are deployed
- Monitor for advisories from PHP and OpenSSL security teams regarding related vulnerabilities
How to Mitigate CVE-2024-2408
Immediate Actions Required
- Upgrade PHP to version 8.1.29, 8.2.20, or 8.3.8 or later, which include OpenSSL patches that address the vulnerability
- Verify that the underlying OpenSSL library includes the rsa_pkcs1_implicit_rejection feature (OpenSSL 3.2 or backported versions)
- Review applications for usage of openssl_private_decrypt with PKCS1 padding and evaluate migration to OAEP padding where possible
- Apply distribution-specific security updates for PHP packages
Patch Information
PHP Windows builds for versions 8.1.29, 8.2.20, and 8.3.8 and above include OpenSSL patches that fix this vulnerability. Linux distributions should ensure they are using OpenSSL versions with the implicit rejection patches backported. Consult the PHP Security Advisory GHSA-hh26-4ppw-5864 for detailed patch information. Fedora users should apply updates per the Fedora package announcements.
Workarounds
- Where feasible, switch from PKCS#1 v1.5 padding to OAEP padding (OPENSSL_PKCS1_OAEP_PADDING) which is not vulnerable to this class of attack
- Implement application-level rate limiting on endpoints that perform RSA decryption to make timing attacks impractical
- Add artificial random delays to cryptographic operations to obscure timing information (though this is not a complete mitigation)
- Consider migrating to alternative encryption schemes that do not rely on RSA PKCS#1 v1.5 padding
# Verify PHP and OpenSSL versions
php -v
php -r "echo 'OpenSSL version: ' . OPENSSL_VERSION_TEXT . PHP_EOL;"
# Check if using vulnerable PHP version (upgrade if below these versions)
# PHP 8.1.x: Upgrade to 8.1.29 or later
# PHP 8.2.x: Upgrade to 8.2.20 or later
# PHP 8.3.x: Upgrade to 8.3.8 or later
# On Fedora, update PHP packages
sudo dnf update php\*
# Verify OpenSSL supports implicit rejection (OpenSSL 3.2+)
openssl version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
