Vulnerabilities > CVE-2017-3225 - Cryptographic Issues vulnerability in Denx U-Boot

CVSS 2.1 - LOW

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

local

low complexity

denx

CWE-310

NVD

Published: 2018-07-24

Updated: 2019-10-09

Summary

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

Vulnerable Configurations

Part	Description	Count
Application	Denx Denx U Boot - Denx U Boot 0.2.0 Denx U Boot 0.2.3 Denx U Boot 0.3.0 Denx U Boot 0.3.1 Denx U Boot 0.4.0 Denx U Boot 0.4.1 Denx U Boot 0.4.2 Denx U Boot 0.4.3 Denx U Boot 0.4.4 Denx U Boot 0.4.5 Denx U Boot 0.4.6 Denx U Boot 0.4.7 Denx U Boot 0.4.8 Denx U Boot 1.0.0 Denx U Boot 1.0.1 Denx U Boot 1.0.2 Denx U Boot 1.1.0 Denx U Boot 1.1.1 Denx U Boot 1.1.2 Denx U Boot 1.1.3 Denx U Boot 1.1.4 Denx U Boot 1.1.5 Denx U Boot 1.1.6 Denx U Boot 1.2.0 Denx U Boot 1.3.0 Denx U Boot 1.3.1 Denx U Boot 1.3.3 Denx U Boot 1.3.4 Denx U Boot 2008.10 Denx U Boot 2009.01 Denx U Boot 2009.03 Denx U Boot 2009.06 Denx U Boot 2009.08 Denx U Boot 2009.11 Denx U Boot 2009.11.1 Denx U Boot 2010.03 Denx U Boot 2010.06 Denx U Boot 2010.09 Denx U Boot 2010.12 Denx U Boot 2011.03 Denx U Boot 2011.04.01 Denx U Boot 2011.06 Denx U Boot 2011.09 Denx U Boot 2011.12 Denx U Boot 2012.04 Denx U Boot 2012.04.01 Denx U Boot 2012.07 Denx U Boot 2012.10 Denx U Boot 2013.01 Denx U Boot 2013.01.01 Denx U Boot 2013.04 Denx U Boot 2013.07 Denx U Boot 2013.10 Denx U Boot 2014.01 Denx U Boot 2014.04 Denx U Boot 2014.07 Denx U Boot 2014.10 Denx U Boot 2015.01 Denx U Boot 2015.04 Denx U Boot 2015.07 Denx U Boot 2015.10 Denx U Boot 2016.01 Denx U Boot 2016.03 Denx U Boot 2016.05 Denx U Boot 2016.07 Denx U Boot 2016.09 Denx U Boot 2016.09.01 Denx U Boot 2016.11 Denx U Boot 2017.01 Denx U Boot 2017.03 Denx U Boot 2017.05 Denx U Boot 2017.07	230

Common Weakness Enumeration (CWE)

CWE-310 - Cryptographic Issues

Common Attack Pattern Enumeration and Classification (CAPEC)

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References