cnvd - cnvd-2017-33393

CNVD-2017-33393

Vulnerability from cnvd - Published: 2017-11-09

Title

IEEE P1735加密问题漏洞

Description

IEEE P1735是一个专门用来加密电子设计的知识产权的标准。 IEEE P1735的实现存在加密问题漏洞。攻击者可利用该漏洞获取电子设计的知识产权。

Severity

中

Patch Name

IEEE P1735加密问题漏洞的补丁

Patch Description

IEEE P1735是一个专门用来加密电子设计的知识产权的标准。 IEEE P1735的实现存在加密问题漏洞。攻击者可利用该漏洞获取电子设计的知识产权。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://ieeexplore.ieee.org/document/7274481/

Reference

https://www.kb.cert.org/vuls/id/739007

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-13091"
    }
  },
  "description": "IEEE P1735\u662f\u4e00\u4e2a\u4e13\u95e8\u7528\u6765\u52a0\u5bc6\u7535\u5b50\u8bbe\u8ba1\u7684\u77e5\u8bc6\u4ea7\u6743\u7684\u6807\u51c6\u3002\r\n\r\nIEEE P1735\u7684\u5b9e\u73b0\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7535\u5b50\u8bbe\u8ba1\u7684\u77e5\u8bc6\u4ea7\u6743\u3002",
  "discovererName": "Domenic Forte and Animesh Chhotaray",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://ieeexplore.ieee.org/document/7274481/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-33393",
  "openTime": "2017-11-09",
  "patchDescription": "IEEE P1735\u662f\u4e00\u4e2a\u4e13\u95e8\u7528\u6765\u52a0\u5bc6\u7535\u5b50\u8bbe\u8ba1\u7684\u77e5\u8bc6\u4ea7\u6743\u7684\u6807\u51c6\u3002\r\n\r\nIEEE P1735\u7684\u5b9e\u73b0\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7535\u5b50\u8bbe\u8ba1\u7684\u77e5\u8bc6\u4ea7\u6743\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IEEE P1735\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "referenceLink": "https://www.kb.cert.org/vuls/id/739007",
  "serverity": "\u4e2d",
  "submitTime": "2017-11-08",
  "title": "IEEE P1735\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2017-13091 (GCVE-0-2017-13091)

Vulnerability from cvelistv5 – Published: 2018-07-13 20:00 – Updated: 2024-08-05 18:58

Title

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), including improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle

Summary

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

Severity ?

No CVSS data available.

CWE

CWE-310

Assigner

certcc

References

URL

Tags

	http://www.securityfocus.com/bid/101699	vdb-entryx_refsource_BID
	https://www.kb.cert.org/vuls/id/739007	third-party-advisoryx_refsource_CERT-VN

Impacted products

	Vendor	Product	Version
	IEEE	Standard	Affected: P1735

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:58:12.350Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "101699",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101699"
          },
          {
            "name": "VU#739007",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/739007"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Standard",
          "vendor": "IEEE",
          "versions": [
            {
              "status": "affected",
              "version": "P1735"
            }
          ]
        }
      ],
      "datePublic": "2017-11-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-310",
              "description": "CWE-310",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-14T09:57:01",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "name": "101699",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101699"
        },
        {
          "name": "VU#739007",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/739007"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), including improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2017-13091",
          "STATE": "PUBLIC",
          "TITLE": "The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), including improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Standard",
                      "version": {
                        "version_data": [
                          {
                            "affected": "=",
                            "version_affected": "=",
                            "version_name": "P1735",
                            "version_value": "P1735"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IEEE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-310"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "101699",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101699"
            },
            {
              "name": "VU#739007",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/739007"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2017-13091",
    "datePublished": "2018-07-13T20:00:00",
    "dateReserved": "2017-08-22T00:00:00",
    "dateUpdated": "2024-08-05T18:58:12.350Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-33393

CVE-2017-13091 (GCVE-0-2017-13091)

Tags

Sightings

Nomenclature