CVE-2007-3528 — Generation of Weak Initialization Vector in DAR

CWE-1204 — Generation of Weak Initialization Vector CWE-329 — Generation of Predictable IV with CBC Mode7 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.5%

top 32.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

DAR Debian DAR

Timeline

PublishedJul 3

Latest updateMay 1

Description

The blowfish mode in DAR before 2.3.4 uses weak Blowfish-CBC cryptography by (1) discarding random bits by the blowfish::make_ivec function in libdar/crypto.cpp that results in predictable and repeating IV values, and (2) direct use of a password for keying, which makes it easier for context-dependent attackers to decrypt files.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/dar< dar 2.3.3-1 (bookworm)

▶Debiandar/dar< 2.3.3-1+3

▶NVDdar/dar2.3.3

Patches

Patch: sourceforge.net ↗Patch: sourceforge.net ↗

🔴Vulnerability Details

GHSA

GHSA-fw5v-h2w7-75mc: The blowfish mode in DAR before 2↗2022-05-01

▶

OSV

CVE-2007-3528: The blowfish mode in DAR before 2↗2007-07-03

▶

📋Vendor Advisories

Debian

CVE-2007-3528: dar - The blowfish mode in DAR before 2.3.4 uses weak Blowfish-CBC cryptography by (1)...↗2007

▶

📐Framework References

CWE

Generation of Weak Initialization Vector (IV)↗

▶

CWE

Generation of Predictable IV with CBC Mode↗

▶

💬Community

Bugzilla

CVE-2007-3528 dar Blowfish-CBC weakness↗2007-07-04

▶