Mbed TLS and TF-PSA-Crypto Compiler-Induced Timing Side Channel Vulnerability

A timing side channel vulnerability has been identified in Mbed TLS versions through 4.0.0 and in TF-PSA-Crypto versions through 1.0.0. This vulnerability, which affects RSA and CBC/ECB decryption, is introduced by certain compiler optimizations that can disrupt constant-time operations, potentially allowing an attacker to exploit padding oracle conditions. The issue arises when Mbed TLS is compiled with Clang 18 using the LLVM select-optimize feature, particularly for 64-bit RISC-V architectures.

Impact

Exploitation of this vulnerability creates a timing-based side channel that can be used in padding oracle attacks, allowing an adversary to recover plaintext from decrypted ciphertexts that used padding, such as RSA-PKCS#1v1.5 or CBC with PKCS#7.

Reproduction

To reproduce this vulnerability, Mbed TLS or TF-PSA-Crypto must be compiled with Clang 18, using the LLVM select-optimize feature enabled, and targeted for 64-bit RISC-V. This can be done by specifying the appropriate optimization flags during compilation. Once compiled, the vulnerability can be observed by submitting chosen ciphertexts to an application using the affected library, and measuring the timing of the decryption process.

Remediation

Users can disable the LLVM select-optimize feature when compiling with Clang, for example by using the default optimization flags -O2 or -Os. Additionally, rebuilding Mbed TLS or TF-PSA-Crypto with these flags can address the vulnerability.