CVE-2017-3226
First published: Tue Jul 24 2018(Updated: )
Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message.
Credit: cret@cert.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| DENX U-Boot | <2017.09 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2017-3226?
CVE-2017-3226 is a vulnerability in Das U-Boot, a device bootloader that can read its configuration from an AES encrypted file.
What is the severity of CVE-2017-3226?
The severity of CVE-2017-3226 is medium with a CVSS score of 6.4.
How does CVE-2017-3226 affect software?
CVE-2017-3226 affects devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption.
How can I fix CVE-2017-3226?
To fix CVE-2017-3226, update Das U-Boot to a version higher than 2017.09 or apply any available patches or mitigations provided by the vendor.
Where can I find more information about CVE-2017-3226?
You can find more information about CVE-2017-3226 at the following references: http://www.securityfocus.com/bid/100675 and https://www.kb.cert.org/vuls/id/166743
- collector/nvd-index
- vendor/denx
- canonical/denx u-boot