Mbed TLS Padding Oracle Vulnerability Through Observable Timing Discrepancy

A padding oracle vulnerability has been identified in Mbed TLS versions prior to 3.6.4. This vulnerability arises from an observable timing discrepancy in the decryption process of ciphertexts with padding, particularly in CBC-PKCS7 mode. When the PSA Crypto API is used, the error handling is not constant-time, allowing local attackers to infer information about the plaintext or recover secret parts by exploiting the timing of error reports. While the legacy API can be vulnerable depending on how errors are managed, the main risk lies in the PSA API when using the built-in CBC-PKCS7 implementation.

Impact

Exploitation of this vulnerability could lead to a padding oracle attack, allowing partial recovery of plaintext encrypted with CBC-PKCS7 or other symmetric modes that use padding, when decrypted through the PSA API. Applications using the legacy API with padded CBC or ECB modes may also be affected, depending on their error handling.

Remediation

Users should upgrade to Mbed TLS 3.6.5 or later. For applications using the legacy API, review error handling when decrypting with CBC or ECB modes that include padding, and consider switching to `mbedtls_cipher_finish_padded()`, which simplifies the management of invalid-padding errors. Applications using the PSA Crypto API with `PSA_ALG_CBC_PKCS7` should handle errors carefully to mitigate the risk of local timing attacks.