Title: Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in Oberon PSA Crypto

CVE ID: CVE-2025-7383

Severity: medium

Short description

Padding oracle attack vulnerability in Oberon microsystem AG’s Oberon PSA Crypto library in all versions since 1.0.0 and prior to 1.5.1 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations.

Vulnerability

Oberon PSA Crypto is vulnerable to a timing side-channel attack on its implementation of PKCS#7 padding removal. Its AES-CBC code (function psa_cipher_finish in file psa_crypto.c and a corresponding driver function in oberon_cipher.c) is not constant-time: the timing differences between “no padding error” and “padding error” could be used by an attacker that is able to send thousands of ciphertexts as probes. First, the length of the actual message could be determined, and then byte by byte the actual message contents. All clients that use AES-CBC PKCS#7 are affected.

Impact

Full plaintext recovery.

Affected versions

The issue affects all versions of Oberon PSA Crypto from 1.0.0 to 1.5.0 inclusive.

Resolution

As a partial mitigation, the code was made constant-time in release 1.5.1. Affected clients should upgrade to this version.

A full mitigation is outside the scope of Oberon PSA Crypto: it requires clients to validate the integrity of a decrypted message, in an application-specific and constant-time way.