Vulnerability Note VU#166743
Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities
Original Release date: 08 Sep 2017 | Last revised: 21 Sep 2017
Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file.
For devices utilizing this environment encryption mode, U-Boot’s use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.
CWE-329: Not Using a Random IV with CBC Mode – CVE-2017-3225
Das U-Boot’s AES-CBC encryption feature uses a zero (0) initialization vector.
This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.
CWE-208: Information Exposure Through Timing Discrepancy – CVE-2017-3226
Devices that make use of Das U-Boot’s AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed.
An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing.
This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message.
The immediate failure can be used as an oracle for a Vaudenay-style timing attack on the cryptography, allowing a dedicated attacker to decrypt and potentially modify the contents of the device.
An attacker with physical access to the device may be able to decrypt the device’s contents.
The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedD-Link Systems, Inc.Not Affected03 Jul 201718 Aug 2017
Juniper NetworksNot Affected03 Jul 201723 Aug 2017
NXP Semiconductors Inc.Not Affected03 Jul 201714 Sep 2017
QUALCOMM IncorporatedNot Affected03 Jul 201717 Jul 2017
Texas InstrumentsNot Affected03 Jul 201721 Sep 2017
Ubiquiti NetworksNot Affected03 Jul 201718 Jul 2017
BroadcomUnknown03 Jul 201703 Jul 2017
Brocade Communication SystemsUnknown03 Jul 201703 Jul 2017
CaviumUnknown03 Jul 201703 Jul 2017
CiscoUnknown03 Jul 201703 Jul 2017
DENX SoftwareUnknown06 Jul 201706 Jul 2017
Imagination TechnologiesUnknown03 Jul 201703 Jul 2017
Marvell SemiconductorsUnknown03 Jul 201703 Jul 2017
Oracle CorporationUnknown03 Jul 201703 Jul 2017
STMicroelectronicsUnknown03 Jul 201703 Jul 2017If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Allan Xavier for reporting this vulnerability.
This document was written by Garret Wassermann.
08 Sep 2017
Date First Published:
08 Sep 2017
Date Last Updated:
21 Sep 2017
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.