Padding Oracle in AES-NI CBC MAC Check (CVE-2016-2107)

Padding Oracle in AES-NI CBC MAC Check (CVE-2016-2107)



The developers of the OpenSSL project recently announced several vulnerabilities in the OpenSSL cryptography software. OpenSSL is an open-source implementation of the SSL and TLS protocols used by a number of applications and products. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which ensure secure communication over the Internet via encryption. One of the high severity vulnerabilities discovered (CVE-2016-2107), if successfully exploited, could allow an attacker to eavesdrop on encrypted communications. This would allow the attacker to possibly intercept login credentials or session details such as cookies.

CVE -2016-2107 utilizes a padding oracle attack to allow a MITM attacker to decrypt communications when using an AES CBC cipher with server support for AES-NI (Advanced Encryption Standard – New Instructions) instruction set.

To determine if your web server supports the AES-NI instruction set, you can run the following command:

grep -m1 -o aes /proc/cpuinfo

Filippo Valsorda with CloudFlare wrote a small utility to test for CVE-2016-2107:

Support Information

Additional Information can be found at:


  • Upgrade to OpenSSL 1.0.1t
  • Upgrade to OpenSSL 1.0.2h

Vulnerable Versions

  • 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p
  • 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l
  • 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h
  • 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d
  • 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1
  • 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d
  • 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2