Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.
CWE-329: Not Using a Random IV with CBC Mode - CVE-2017-3225
Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.
Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message.
The immediate failure can be used as an oracle for a Vaudenay-style timing attack on the cryptography, allowing a dedicated attacker to decrypt and potentially modify the contents of the device.
An attacker with physical access to the device may be able to decrypt the device's contents.
The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.
Brocade Communication Systems Not Affected
D-Link Systems, Inc. Not Affected
Juniper Networks Not Affected
NXP Semiconductors Inc. Not Affected
QUALCOMM Incorporated Not Affected
Texas Instruments Not Affected
Ubiquiti Networks Not Affected
DENX Software Unknown
Imagination Technologies Unknown
Marvell Semiconductors Unknown
Oracle Corporation Unknown
Thanks to Allan Xavier for reporting this vulnerability.
This document was written by Garret Wassermann.