Vulnerability Note VU#166743
Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities
Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.
CWE-329: Not Using a Random IV with CBC Mode - CVE-2017-3225
Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.
Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message.
The immediate failure can be used as an oracle for a Vaudenay-style timing attack on the cryptography, allowing a dedicated attacker to decrypt and potentially modify the contents of the device.
An attacker with physical access to the device may be able to decrypt the device's contents.
The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|D-Link Systems, Inc.||Not Affected||03 Jul 2017||18 Aug 2017|
|Juniper Networks||Not Affected||03 Jul 2017||23 Aug 2017|
|NXP Semiconductors Inc.||Not Affected||03 Jul 2017||14 Sep 2017|
|QUALCOMM Incorporated||Not Affected||03 Jul 2017||17 Jul 2017|
|Texas Instruments||Not Affected||03 Jul 2017||21 Sep 2017|
|Ubiquiti Networks||Not Affected||03 Jul 2017||18 Jul 2017|
|Broadcom||Unknown||03 Jul 2017||03 Jul 2017|
|Brocade Communication Systems||Unknown||03 Jul 2017||03 Jul 2017|
|Cavium||Unknown||03 Jul 2017||03 Jul 2017|
|Cisco||Unknown||03 Jul 2017||03 Jul 2017|
|DENX Software||Unknown||06 Jul 2017||06 Jul 2017|
|Imagination Technologies||Unknown||03 Jul 2017||03 Jul 2017|
|Marvell Semiconductors||Unknown||03 Jul 2017||03 Jul 2017|
|Oracle Corporation||Unknown||03 Jul 2017||03 Jul 2017|
|STMicroelectronics||Unknown||03 Jul 2017||03 Jul 2017|
CVSS Metrics (Learn More)
Thanks to Allan Xavier for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2017-3225 CVE-2017-3226
- Date Public: 08 Sep 2017
- Date First Published: 08 Sep 2017
- Date Last Updated: 21 Sep 2017
- Document Revision: 51
If you have feedback, comments, or additional information about this vulnerability, please send us email.