[U-Boot] VU#166743: Das U-Boot AES-CBC encryption
Blibbet
blibbet at gmail.com
Sat Sep 9 16:29:45 UTC 2017
I apologize if I missed it, but I haven't see any mention of this recent
vulnerability here, excerpts below.
http://www.kb.cert.org/vuls/id/166743
-----snip-----
Vulnerability Note VU#166743
Das U-Boot AES-CBC encryption implementation contains multiple
vulnerabilities
Original Release date: 08 Sep 2017
Das U-Boot is a device bootloader that can read its configuration from
an AES encrypted file. For devices utilizing this environment encryption
mode, U-Boot's use of a zero initialization vector and improper handling
of an error condition may allow attacks against the underlying
cryptographic implementation and allow an attacker to decrypt the data.
An attacker with physical access to the device may be able to decrypt
the device's contents.
The CERT/CC is currently unaware of a practical solution to this problem.
-----snip-----
More information about the U-Boot
mailing list