CVE-2017-3225

Published: 24 July 2018

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

Priority

Negligible

CVSS 3 base score: 4.6

Status

Package Release Status
u-boot
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://github.com/u-boot/u-boot/commit/c6831c74a9e9dbedc351de94d23d35188ae1a39b

Notes

AuthorNote
mdeslaur xenial doesn't build with ENV_AES, and later releases removed the code completely

References