> This is an amazing bug. They took AES (seems fine) and an inappropriate but in principle secure cipher mode (CFB8) and then they fixed the IV as all zeroes
A bit more detail on what happens next: "So with an all-zero IV and plaintext plus a randomly chosen key, you will end up with an all-zero ciphertext 1 in 256 times on average. [In other words] roughly once in every 256 times the server would randomly concoct a session key for which the correctly-encrypted version of their all-zero ClientChallenge would itself be all zeros."[1] Quoted from a detailed and nicely illustrated article about the bug.
A bit more detail on what happens next: "So with an all-zero IV and plaintext plus a randomly chosen key, you will end up with an all-zero ciphertext 1 in 256 times on average. [In other words] roughly once in every 256 times the server would randomly concoct a session key for which the correctly-encrypted version of their all-zero ClientChallenge would itself be all zeros."[1] Quoted from a detailed and nicely illustrated article about the bug.
[1] https://nakedsecurity.sophos.com/2020/09/17/zerologon-hackin...