Title: Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in ocrypto

CVE ID: CVE-2025-7071

Severity: medium

Short description

Padding oracle attack vulnerability in Oberon microsystem AG’s ocrypto library in all versions since 3.1.0 and prior to 3.9.2 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations.

Vulnerability

ocrypto is vulnerable to a timing side-channel attack on its implementation of PKCS#7 padding removal. Its AES-CBC code (function ocrypto_aes_cbc_pkcs_final_dec in file ocrypto_aes_cbc_pkcs.c) is not constant-time: the timing differences between “no padding error” and “padding error” could be used by an attacker that is able to send thousands of ciphertexts as probes. First, the length of the actual message could be determined, and then byte by byte the actual message contents. All clients that use AES-CBC PKCS#7 are affected.

Impact

Full plaintext recovery.

Affected versions

The issue affects all versions of ocrypto from 3.1.0 to 3.9.1 inclusive.

Resolution

As a partial mitigation, the code was made constant-time in release 3.9.2. Affected clients should upgrade to this version.

A full mitigation is outside the scope of ocrypto: it requires clients to validate the integrity of a decrypted message, in an application-specific and constant-time way.