CVE-2023-6935: 
wolfSSL vulnerability analysis and mitigation

wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, a new variation of a timing Bleichenbacher style attack, when built with specific configuration options (--enable-all CFLAGS="-DWOLFSSL_STATIC_RSA"). The vulnerability was discovered in February 2024 and affects wolfSSL versions from 3.12.2 up to 5.6.4 (NVD, Marvin Attack).

The vulnerability is specific to static RSA cipher suites and is padding-independent. When the define "WOLFSSL_STATIC_RSA" is enabled (which enables static RSA cipher suites, not recommended and disabled by default since wolfSSL 3.6.6), the implementation becomes vulnerable to timing side-channel attacks. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD, wolfSSL Advisory).

The vulnerability allows an attacker to decrypt ciphertexts and forge signatures after probing with a large number of test observations. However, the server's private key is not exposed in the attack. This affects users who have enabled static RSA cipher suites or are using RSA private decryption outside of TLS (Marvin Attack, wolfSSL Advisory).

The recommended mitigation is to disable static RSA cipher suites and update to wolfSSL version 5.6.6 or later. The default build since wolfSSL 3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack as static RSA cipher suites are disabled by default. For users who must use RSA private decryption outside of TLS, updating to the latest version is strongly recommended (wolfSSL Advisory).