warning of timing vulnerability with CBC-mode symmetric decryption using padding.

[BillWagner]

See #2609 (comment)

The following algorithms are all affected:

• Aes
• AesCng
• AesCryptoServiceProvider
• AesManaged
• DES
• DESCryptoServiceProvider
• RC2
• RC2CryptoServiceProvider
• Rijndael
• RijndaelManaged
• TripleDES
• TripleDESCng
• TripleDESCryptoServiceProvider

[jackdaus]

Bumping this issue since I noticed it recently while working with the AES class. The code example in the Aes class docs (https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes) is susceptible to a padding oracle attack, as described by https://learn.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode.

I almost used this sample code in production, so I think we should warn folks that the sample code as provided is not secure! Or maybe we should just remove the sample code completely? Or maybe switching to use a different mode other than CBC will prevent a padding oracle attack? (I am not an expert, so I am not sure about that last one.)

The code snippet with the insecure sample code can be found here: https://github.com/dotnet/dotnet-api-docs/blob/main/snippets/csharp/System.Security.Cryptography/Aes/Overview/program.cs

And the Aes docs page is here https://github.com/dotnet/dotnet-api-docs/blob/main/xml/System.Security.Cryptography/Aes.xml