Vulnerability Note VU#166743

Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities

Original Release date: 08 Sep 2017 | Last revised: 12 Oct 2017


Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.


CWE-329: Not Using a Random IV with CBC Mode - CVE-2017-3225

Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

CWE-208: Information Exposure Through Timing Discrepancy - CVE-2017-3226

Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message.

The immediate failure can be used as an oracle for a Vaudenay-style timing attack on the cryptography, allowing a dedicated attacker to decrypt and potentially modify the contents of the device.


An attacker with physical access to the device may be able to decrypt the device's contents.


The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Brocade Communication SystemsNot Affected03 Jul 201712 Oct 2017
D-Link Systems, Inc.Not Affected03 Jul 201718 Aug 2017
Juniper NetworksNot Affected03 Jul 201723 Aug 2017
NXP Semiconductors Inc.Not Affected03 Jul 201714 Sep 2017
QUALCOMM IncorporatedNot Affected03 Jul 201717 Jul 2017
Texas InstrumentsNot Affected03 Jul 201721 Sep 2017
Ubiquiti NetworksNot Affected03 Jul 201718 Jul 2017
BroadcomUnknown03 Jul 201703 Jul 2017
CaviumUnknown03 Jul 201703 Jul 2017
CiscoUnknown03 Jul 201703 Jul 2017
DENX SoftwareUnknown06 Jul 201706 Jul 2017
Imagination TechnologiesUnknown03 Jul 201703 Jul 2017
Marvell SemiconductorsUnknown03 Jul 201703 Jul 2017
Oracle CorporationUnknown03 Jul 201703 Jul 2017
STMicroelectronicsUnknown03 Jul 201703 Jul 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.6 AV:L/AC:H/Au:N/C:C/I:C/A:N
Temporal 5.0 E:POC/RL:U/RC:C
Environmental 3.8 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Allan Xavier for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs: CVE-2017-3225 CVE-2017-3226
  • Date Public: 08 Sep 2017
  • Date First Published: 08 Sep 2017
  • Date Last Updated: 12 Oct 2017
  • Document Revision: 54


If you have feedback, comments, or additional information about this vulnerability, please send us email.