Title: Insecure RSA-OAEP implementation with all-zero seed for padding in Oberon PSA Crypto

CVE ID: CVE-2025-9071

Severity: low

Short description

Erroneously using an all-zero seed for RSA-OEAP padding instead of the generated random bytes, in Oberon microsystems AG’s Oberon PSA Crypto library in all versions up to 1.5.1, results in deterministic RSA and thus in a loss of confidentiality for guessable messages, recognition of repeated messages, and loss of security proofs.

Vulnerability

Oberon PSA Crypto versions 1.5.1 (unpatched) and earlier do not use the generated random seed but instead use zero bytes as input for the padding algorithm. OAEP’s design relies on a cryptographically secure random seed to achieve semantic security (indistinguishability under chosen-plaintext attack). The absence of entropy makes ciphertext generation fully deterministic, allowing identical plaintexts to produce identical ciphertexts. This flaw constitutes a violation of PKCS #1 (RFC 8017) requirements and reduces OAEP to a predictable padding scheme. It may affect applications, protocol stacks and SDKs that use RSA-OAEP for asymmetric encryption. Key exchange protocols that use RSA-OEAP should not be affected, as the exchanged keys should not be guessable.

Impact

Loss of confidentiality of guessable messages.

Affected versions

The issue affects all versions of Oberon PSA Crypto from 1.0.0 to 1.5.1 (unpatched).

Resolution

The vulnerability was fixed with rsa_oaep_padding.patch for release 1.5.1. Affected clients should upgrade to this or a newer version.

Credit
Reported by Nordic Semiconductor ASA.