OpenCVE

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

No CVSS v4.0

No CVSS v3.1

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Denx	U-boot

Configuration 1 [-]

cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/100675
https://www.kb.cert.org/vuls/id/166743

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2018-07-24T15:00:00

Updated: 2024-08-05T14:16:28.243Z

Reserved: 2016-12-05T00:00:00

Link: CVE-2017-3225

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-07-24T15:29:00.953

Modified: 2024-11-21T03:25:04.470

Link: CVE-2017-3225

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "U-Boot", "vendor": "Das", "versions": [{"lessThan": "2017.09", "status": "affected", "version": "2017.09", "versionType": "custom"}]}], "datePublic": "2017-09-08T00:00:00", "descriptions": [{"lang": "en", "value": "Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-329", "description": "CWE-329", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-07-25T09:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "100675", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100675"}, {"name": "VU#166743", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/166743"}], "source": {"discovery": "UNKNOWN"}, "title": "Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector that may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2017-3225", "STATE": "PUBLIC", "TITLE": "Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector that may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "U-Boot", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "2017.09", "version_value": "2017.09"}]}}]}, "vendor_name": "Das"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-329"}]}]}, "references": {"reference_data": [{"name": "100675", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100675"}, {"name": "VU#166743", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/166743"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:16:28.243Z"}, "title": "CVE Program Container", "references": [{"name": "100675", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100675"}, {"name": "VU#166743", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/166743"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2017-3225", "datePublished": "2018-07-24T15:00:00", "dateReserved": "2016-12-05T00:00:00", "dateUpdated": "2024-08-05T14:16:28.243Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "99AD5D11-E001-46BE-A0A4-3380D41E26D6", "versionEndExcluding": "2017.09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data."}, {"lang": "es", "value": "Das U-Boot es un bootloader de dispositivos que puede leer su configuraci\u00f3n desde un archivo cifrado por AES. Para los dispositivos que emplean este modo de cifrado de entorno, el uso de U-Boot de un vector de inicializaci\u00f3n cero podr\u00eda permitir ataques contra la implementaci\u00f3n criptogr\u00e1fica subyacente y permitir que un atacante descifre los datos. La caracter\u00edstica de cifrado AES-CBC de Das U-Boot emplea un vector de inicializaci\u00f3n cero (0). Esto permite que un atacante realice ataques de diccionario sobre datos cifrados producidos por Das U-Boot para aprender informaci\u00f3n sobre los datos cifrados."}], "id": "CVE-2017-3225", "lastModified": "2024-11-21T03:25:04.470", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-24T15:29:00.953", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100675"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/166743"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100675"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/166743"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-329"}], "source": "cret@cert.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}