Bugzilla – Bug 1058438
VUL-0: CVE-2017-3226: u-boot: Information Exposure Through Timing Discrepancy
Last modified: 2017-09-13 07:18:42 UTC
CWE-208: Information Exposure Through Timing Discrepancy - CVE-2017-3226 Devices that make use of Das U-Boot's AES-CBC encryption feature using environment encryption (i.e., setting the configuration parameter CONFIG_ENV_AES=y) read environment variables from disk as the encrypted disk image is processed. An attacker with physical access to the device can manipulate the encrypted environment data to include a crafted two-byte sequence which triggers an error in environment variable parsing. This error condition is improperly handled by Das U-Boot, resulting in an immediate process termination with a debugging message. The immediate failure can be used as an oracle for a Vaudenay-style timing attack on the cryptography, allowing a dedicated attacker to decrypt and potentially modify the contents of the device. References: https://www.kb.cert.org/vuls/id/166743
It is not a real problem since this code is not used inside U-Boot and will be removed in the next releases. See: https://lists.denx.de/pipermail/u-boot/2017-September/305181.html No U-Boot configs are using CONFIG_ENV_AES=y. So, I guess we are fine here.
Neither SLE nor openSUSE is using the AES encryption inside u-boot. Closing as invalid.