// For flags

CVE-2017-3225

Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector that may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data

Severity Score

4.6
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

Das U-Boot es un bootloader de dispositivos que puede leer su configuración desde un archivo cifrado por AES. Para los dispositivos que emplean este modo de cifrado de entorno, el uso de U-Boot de un vector de inicialización cero podría permitir ataques contra la implementación criptográfica subyacente y permitir que un atacante descifre los datos. La característica de cifrado AES-CBC de Das U-Boot emplea un vector de inicialización cero (0). Esto permite que un atacante realice ataques de diccionario sobre datos cifrados producidos por Das U-Boot para aprender información sobre los datos cifrados.

*Credits: N/A
CVSS Scores
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-12-05 CVE Reserved
  • 2018-07-24 CVE Published
  • 2023-12-15 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-310: Cryptographic Issues
  • CWE-329: Generation of Predictable IV with CBC Mode
CAPEC
References (2)
URL Tag Source
http://www.securityfocus.com/bid/100675 Third Party Advisory
https://www.kb.cert.org/vuls/id/166743 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Denx
Search vendor "Denx"
 U-boot
Search vendor "Denx" for product "U-boot"
 < 2017.09
Search vendor "Denx" for product "U-boot" and version " < 2017.09"
-
Affected