Timing Information Leak in Pengutronix Barebox through Hash Comparison
CVE-2021-37848

7.5HIGH

Key Information:

Vendor: Pengutronix
Status: Barebox
Vendor: CVE Published:; 2 August 2021

🔔 Create Pengutronix Vulnerability Alert

What is CVE-2021-37848?

A vulnerability in Pengutronix's barebox version 2021.07.0 has been identified, where timing information can be leaked due to the use of the strncmp function for hash comparison in common/password.c. This implementation flaw allows attackers to potentially gain insights into the hashed passwords, compromising the security of the affected system.

References

https://github.com/saschahauer/barebox/commit/a3337563c70...

x_refsource_MISC

https://gist.github.com/gquere/816dfadbad98745090034100a8...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2021
Vulnerability Reserved
Aug 2, 2021