[U-Boot] VU#166743: Das U-Boot AES-CBC encryption

Blibbet blibbet at gmail.com
Sat Sep 9 16:29:45 UTC 2017


I apologize if I missed it, but I haven't see any mention of this recent
vulnerability here, excerpts below.

http://www.kb.cert.org/vuls/id/166743

-----snip-----
Vulnerability Note VU#166743

Das U-Boot AES-CBC encryption implementation contains multiple
vulnerabilities

Original Release date: 08 Sep 2017

Das U-Boot is a device bootloader that can read its configuration from
an AES encrypted file. For devices utilizing this environment encryption
mode, U-Boot's use of a zero initialization vector and improper handling
of an error condition may allow attacks against the underlying
cryptographic implementation and allow an attacker to decrypt the data.

An attacker with physical access to the device may be able to decrypt
the device's contents.

The CERT/CC is currently unaware of a practical solution to this problem.
-----snip-----


More information about the U-Boot mailing list