CVE-2017-3225

{"id": "CVE-2017-3225", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": true, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}]}, "published": "2018-07-24T15:29:00.953", "references": [{"url": "http://www.securityfocus.com/bid/100675", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cret@cert.org"}, {"url": "https://www.kb.cert.org/vuls/id/166743", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cret@cert.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}, {"type": "Secondary", "source": "cret@cert.org", "description": [{"lang": "en", "value": "CWE-329"}]}], "descriptions": [{"lang": "en", "value": "Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data. Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data."}, {"lang": "es", "value": "Das U-Boot es un bootloader de dispositivos que puede leer su configuraci\u00f3n desde un archivo cifrado por AES. Para los dispositivos que emplean este modo de cifrado de entorno, el uso de U-Boot de un vector de inicializaci\u00f3n cero podr\u00eda permitir ataques contra la implementaci\u00f3n criptogr\u00e1fica subyacente y permitir que un atacante descifre los datos. La caracter\u00edstica de cifrado AES-CBC de Das U-Boot emplea un vector de inicializaci\u00f3n cero (0). Esto permite que un atacante realice ataques de diccionario sobre datos cifrados producidos por Das U-Boot para aprender informaci\u00f3n sobre los datos cifrados."}], "lastModified": "2019-10-09T23:27:25.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99AD5D11-E001-46BE-A0A4-3380D41E26D6", "versionEndExcluding": "2017.09"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}