Timing Information Leak in Pengutronix Barebox
CVE-2021-37847

7.5HIGH

Key Information:

Vendor: Pengutronix
Status: Barebox
Vendor: CVE Published:; 2 August 2021

🔔 Create Pengutronix Vulnerability Alert

What is CVE-2021-37847?

A flaw exists in Pengutronix Barebox, where the use of memcmp for digest verification exposes timing information. This leakage can be exploited by attackers to infer sensitive data based on timing discrepancies, potentially leading to unauthorized access or exposure of cryptographic keys. Addressing this issue is crucial for maintaining the integrity and security of the affected system.

References

https://github.com/saschahauer/barebox/commit/0a9f9a74106...

x_refsource_MISC

https://gist.github.com/gquere/816dfadbad98745090034100a8...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2021
Vulnerability Reserved
Aug 2, 2021