{"vuid":"VU#166743","idnumber":"166743","name":"Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities","keywords":["uboot","aes","encryption","crypto"],"overview":"Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.","clean_desc":"CWE-329: Not Using a Random IV with CBC Mode - CVE-2017-3225 Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data. CWE-208: Information Exposure Through Timing Discrepancy - CVE-2017-3226 Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message. The immediate failure can be used as an oracle for a Vaudenay-style timing attack on the cryptography, allowing a dedicated attacker to decrypt and potentially modify the contents of the device.","impact":"An attacker with physical access to the device may be able to decrypt the device's contents.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.","workarounds":"","sysaffected":"","thanks":"Thanks to Allan Xavier for reporting this vulnerability.","author":"This document was written by Garret Wassermann.","public":["https://cwe.mitre.org/data/definitions/208.html","http://cwe.mitre.org/data/definitions/329.html"],"cveids":["CVE-2017-3225","CVE-2017-3226"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2017-06-29T17:38:32Z","publicdate":"2017-09-08T00:00:00Z","datefirstpublished":"2017-09-08T16:39:23Z","dateupdated":"2017-10-12T12:52:05Z","revision":55,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"H","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"5.6","cvss_basevector":"AV:L/AC:H/Au:N/C:C/I:C/A:N","cvss_temporalscore":"5","cvss_environmentalscore":"3.81229308432","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}