Executive Summary

This vulnerability is a timing side-channel issue in Oberon microsystem AG's ocrypto library versions 3.1.0 to 3.9.1. It occurs in the AES-CBC decryption process with PKCS#7 padding, where the padding removal is not done in constant time. An attacker can send many ciphertext probes and measure timing differences between padding error and no error responses to perform a padding oracle attack. This allows the attacker to determine the exact plaintext length and recover the plaintext byte-by-byte. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker to fully recover plaintext data encrypted with AES-CBC and PKCS#7 padding in the affected versions of the ocrypto library. This means sensitive information could be exposed if an attacker can send many ciphertext probes and measure response timings, potentially compromising confidentiality of encrypted communications or stored data. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by analyzing timing discrepancies in AES-CBC PKCS#7 decryption operations, specifically by sending numerous ciphertext probes and measuring the time taken for padding error versus no padding error responses. There are no specific commands provided in the resources, but detection involves timing side-channel analysis targeting the function `ocrypto_aes_cbc_pkcs_final_dec` in the affected library versions. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the ocrypto library to version 3.9.2 or later, where partial mitigation has been implemented by making the padding removal code constant-time. Additionally, clients should implement application-specific, constant-time integrity validation of decrypted messages to fully mitigate the vulnerability. [1]

Useful 0 Not Useful 0