CVE-2017-3225Generation of Predictable IV with CBC Mode in U-boot

CWE-329Generation of Predictable IV with CBC ModeCWE-310CWE-1204Generation of Weak Initialization Vector6 documents5 sources
Severity
4.6MEDIUMNVD
OSV4.0
EPSS
0.1%
top 84.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
DAS U-bootDenx U-bootCobbler Project Cobbler+1 more
Timeline
PublishedJul 24
Latest updateNov 13

Description

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn informati

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5das/u-boot2017.092017.09
NVDdenx/u-boot< 2017.09
debiandebian/u-boot
Ubuntucobbler_project/cobbler< 2.4.1-0ubuntu2+esm1

🔴Vulnerability Details

3
OSV
cobbler vulnerabilities2023-11-13
GHSA
GHSA-x8ww-88gq-789c: Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file2022-05-13
OSV
CVE-2017-3225: Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file2018-07-24

📋Vendor Advisories

1
Debian
CVE-2017-3225: u-boot - Das U-Boot is a device bootloader that can read its configuration from an AES en...2017

📐Framework References

1
CWE
Generation of Weak Initialization Vector (IV)
CVE-2017-3225 — DAS U-boot vulnerability | cvebase