Vulnerability Note VU#166743
Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities
Original Release date: 08 Sep 2017 | Last revised: 12 Oct 2017

Overview
Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file.

For devices utilizing this environment encryption mode, U-Boot’s use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.

Description
CWE-329: Not Using a Random IV with CBC Mode – CVE-2017-3225
Das U-Boot’s AES-CBC encryption feature uses a zero (0) initialization vector.

This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

CWE-208: Information Exposure Through Timing Discrepancy – CVE-2017-3226

Devices that make use of Das U-Boot’s AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed.

An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing.

This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message.

The immediate failure can be used as an oracle for a Vaudenay-style timing attack on the cryptography, allowing a dedicated attacker to decrypt and potentially modify the contents of the device.

Impact
An attacker with physical access to the device may be able to decrypt the device’s contents.

Solution
The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedBrocade Communication SystemsNot Affected03 Jul 201712 Oct 2017
D-Link Systems, Inc.Not Affected03 Jul 201718 Aug 2017
Juniper NetworksNot Affected03 Jul 201723 Aug 2017
NXP Semiconductors Inc.Not Affected03 Jul 201714 Sep 2017
QUALCOMM IncorporatedNot Affected03 Jul 201717 Jul 2017
Texas InstrumentsNot Affected03 Jul 201721 Sep 2017
Ubiquiti NetworksNot Affected03 Jul 201718 Jul 2017
BroadcomUnknown03 Jul 201703 Jul 2017
CaviumUnknown03 Jul 201703 Jul 2017
CiscoUnknown03 Jul 201703 Jul 2017
DENX SoftwareUnknown06 Jul 201706 Jul 2017
Imagination TechnologiesUnknown03 Jul 201703 Jul 2017
Marvell SemiconductorsUnknown03 Jul 201703 Jul 2017
Oracle CorporationUnknown03 Jul 201703 Jul 2017
STMicroelectronicsUnknown03 Jul 201703 Jul 2017If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
5.6
AV:L/AC:H/Au:N/C:C/I:C/A:N

Temporal
5.0
E:POC/RL:U/RC:C

Environmental
3.8
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

https://cwe.mitre.org/data/definitions/208.html
http://cwe.mitre.org/data/definitions/329.html

Credit

Thanks to Allan Xavier for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2017-3225
CVE-2017-3226

Date Public:
08 Sep 2017

Date First Published:
08 Sep 2017

Date Last Updated:
12 Oct 2017

Document Revision:
54

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply