Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. Devices that make use of Das U-Boots AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message.
The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| U-boot | Denx | * | 2017.09 (excluding) |
| U-boot | Ubuntu | artful | * |
| U-boot | Ubuntu | cosmic | * |
| U-boot | Ubuntu | disco | * |
| U-boot | Ubuntu | eoan | * |
| U-boot | Ubuntu | esm-infra/xenial | * |
| U-boot | Ubuntu | vivid/ubuntu-core | * |
| U-boot | Ubuntu | xenial | * |
| U-boot | Ubuntu | zesty | * |
CBC mode eliminates a weakness of Electronic Code Book (ECB) mode by allowing identical plaintext blocks to be encrypted to different ciphertext blocks. This is possible by the XOR-ing of an IV with the initial plaintext block so that every plaintext block in the chain is XOR’d with a different value before encryption. If IVs are reused, then identical plaintexts would be encrypted to identical ciphertexts. However, even if IVs are not identical but are predictable, then they still break the security of CBC mode against Chosen Plaintext Attacks (CPA).