1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-2408, affects the openssl_private_decrypt function in PHP when it utilizes PKCS1 padding (specifically OPENSSL_PKCS1_PADDING, which is the default setting). It is susceptible to the Marvin Attack, a type of cryptographic side-channel attack. This vulnerability is significant because it can allow an attacker to perform oracle attacks against RSA decryption, potentially leading to the recovery of sensitive encrypted data or keys. Given that PKCS1 padding is a default configuration, the potential impact and widespread applicability are considerable, posing a risk to the confidentiality of data processed by vulnerable PHP applications.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score for this vulnerability is 5.9. This indicates a Medium severity level. The vulnerability was publicly disclosed (published) on June 9, 2024, at 19:55:51 UTC. The CVE entry was last modified on March 21, 2025, at 18:03:45 UTC.

3. Which products, vendors, systems, and versions are affected?

The vulnerability primarily affects:

• Products: PHP's openssl_private_decrypt function.
• Vendors/Systems: PHP installations and underlying OpenSSL libraries.
• Versions:
  • PHP installations using an OpenSSL version that does not include the changes from the pull request https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection).
  • OpenSSL versions prior to OpenSSL 3.2 that have not been backported with the necessary fixes.
  • Specifically, PHP Windows builds for versions below 8.1.29, 8.2.20, and 8.3.8 are affected.
  • Various Linux distributions are also affected if their PHP builds or OpenSSL packages do not include the backported patches.

4. What is the technical root cause and attack vector?

The technical root cause lies in the handling of PKCS1 padding during RSA private decryption by the openssl_private_decrypt function. Specifically, the absence of an "implicit rejection" mechanism in earlier OpenSSL implementations (prior to OpenSSL 3.2 and related backports) makes the function vulnerable to cryptographic oracle attacks. This means that the decryption process may reveal subtle differences in behavior (e.g., timing, error messages) when processing malformed ciphertexts.

The attack vector is the Marvin Attack. This is a variant of a Bleichenbacher-style attack that exploits these subtle differences. An attacker can repeatedly send carefully crafted ciphertexts to the vulnerable function and observe its responses to incrementally deduce information about the private key or decrypt the original plaintext.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by an attacker leveraging the Marvin Attack. The exploitation typically involves:

1. An attacker sending specially crafted ciphertexts to a system running a vulnerable PHP application that uses the openssl_private_decrypt function with PKCS1 padding.
2. The attacker observes the system's responses, which could be error messages or subtle timing differences in the decryption process.
3. By analyzing these responses, often in an iterative fashion, the attacker can use a cryptographic oracle attack algorithm to gradually reveal portions of the plaintext or even recover the session key used for encryption.

The success of the exploitation relies on the ability to send multiple crafted inputs and distinguish between different types of decryption failures or processing times.

6. What mitigation steps and patches are available?

To mitigate this vulnerability, the following steps are recommended:

• Update OpenSSL: Ensure that the OpenSSL library used by PHP is version 3.2 or later, as OpenSSL 3.2 includes the necessary changes (rsa_pkcs1_implicit_rejection) to address this vulnerability.
• Apply Backported Patches: If upgrading to OpenSSL 3.2 is not immediately possible, users should ensure their OpenSSL version includes backported patches from the pull request https://github.com/openssl/openssl/pull/13817. Many stable versions of Linux distributions have backported these fixes.
• Update PHP for Windows: Users of PHP on Windows should upgrade to versions 8.1.29, 8.2.20, 8.3.8, or above, as these versions include the OpenSSL patches that resolve the vulnerability.
• Consult Distributors/Builders: All distributors and builders of PHP and OpenSSL packages should ensure that the included OpenSSL version incorporates the fix to prevent PHP from being vulnerable.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by:

• Checking OpenSSL Version: Determine the version of the OpenSSL library being utilized by the PHP installation. Systems running OpenSSL versions prior to 3.2, which have not had the rsa_pkcs1_implicit_rejection changes backported, are vulnerable.
• Checking PHP Version (Windows): For PHP installations on Windows, verify if the PHP version is below 8.1.29, 8.2.20, or 8.3.8. These older versions on Windows are known to be vulnerable.
• Reviewing Distribution Patches (Linux/Other OS): For Linux and other operating systems, check the patch status and release notes of the installed OpenSSL packages and PHP builds provided by the distribution vendor. Confirm that they explicitly include the fix for CVE-2024-2408 or the OpenSSL pull request #13817.
• Code Review: Inspect PHP applications to confirm if the openssl_private_decrypt function is used with OPENSSL_PKCS1_PADDING. While this function in itself isn't the vulnerability, its use in conjunction with older OpenSSL versions creates the exposure.

10. What public intelligence references and advisories exist?

Key public intelligence references and advisories for this vulnerability include:

• CVE Entry: CVE-2024-2408, providing the official vulnerability description and details.
• OpenSSL Pull Request: The specific OpenSSL pull request addressing the underlying cryptographic issue: https://github.com/openssl/openssl/pull/13817 (titled rsa_pkcs1_implicit_rejection). This is critical for understanding the technical fix.
• PHP Release Notes/Advisories: Official release notes for PHP versions 8.1.29, 8.2.20, and 8.3.8 and above, which confirm the inclusion of the OpenSSL patches for Windows builds.
• Vendor Advisories: Security advisories from various Linux distribution vendors (e.g., Red Hat, Debian, Ubuntu) that would detail the backporting of the OpenSSL fix to their respective packages.

11. What is the risk assessment and urgency level?

The risk assessment for CVE-2024-2408 is Medium, based on its CVSS score of 5.9. However, the urgency level should be considered Medium to High due to the nature of the vulnerability.

• Impact: The Marvin Attack is a severe cryptographic oracle attack that can lead to the full decryption of RSA-encrypted data or session keys, severely compromising confidentiality. Given that PKCS1 padding is a common default, many applications could be exposed.
• Exploitability: While cryptographic oracle attacks can be complex, well-documented techniques exist for Bleichenbacher-style attacks like Marvin.
• Prevalence: PHP is widely used, and the default use of PKCS1 padding makes a significant portion of its cryptographic operations potentially vulnerable if running on unpatched OpenSSL versions.

Organizations are strongly advised to prioritize patching, especially for systems handling highly sensitive data encrypted with RSA/PKCS1. Immediate action is recommended to assess exposure and apply available updates.