https://seclists.org/oss-sec/2022/q1/34 Home page logo [INS::INS] * Nmap Security / Scanner + Ref Guide oss-sec logo oss-sec mailing list archives + Install Guide # By Date # # By Thread # [ ] + Download [Search] + Changelog + Book CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption + Docs crash recovery * Npcap packet --------------------------------------------------------------------- capture library From: Milan Broz + User's Guide Date: Thu, 13 Jan 2022 11:10:00 +0100 + API docs --------------------------------------------------------------------- + Download + Changelog Description: * Security Lists + Nmap Announce LUKS2 is an on-disk format for disk-encryption configuration with + Nmap Dev cryptsetup as the tool for configuration on Linux systems. + Bugtraq + Full LUKS2 online reencryption is an optional extension to allow a user to Disclosure change the data reencryption key while the data device is available for + Pen Test use during the whole reencryption process. + Basics + More CVE-2021-4122 describes a possible attack against data confidentiality * Security Tools through LUKS2 online reencryption extension crash recovery. + Password audit + Sniffers An attacker can modify on-disk metadata to simulate decryption in + Vuln scanners progress with crashed (unfinished) reencryption step and persistently + Web scanners decrypt part of the LUKS device. + Wireless + Exploitation This attack requires repeated physical access to the LUKS device but + Packet no knowledge of user passphrases. crafters + More The decryption step is performed after a valid user activates * Site News the device with a correct passphrase and modified metadata. * Advertising There are no visible warnings for the user that such recovery happened * About/Contact (except using the luksDump command). The attack can also be reversed * [ ] afterward (simulating crashed encryption from a plaintext) with [Site Search] possible modification of revealed plaintext. * Sponsors: The size of possible decrypted data depends on configured LUKS2 header [INS::INS] size (metadata size is configurable for LUKS2). With the default parameters (16 MiB LUKS2 header) and only one allocated keyslot (512 bit key for AES-XTS), simulated decryption with checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks), the maximal decrypted size can be over 3GiB. The attack is not applicable to LUKS1 format, but the attacker can update metadata in place to LUKS2 format as an additional step. For such a converted LUKS2 header, the keyslot area is limited to decrypted size (with SHA1 checksums) over 300 MiB. The problem was caused by reusing a mechanism designed for actual reencryption operation without reassessing the security impact for new encryption and decryption operations. While the reencryption requires calculating and verifying both key digests, no digest was needed to initiate decryption recovery if the destination is plaintext (no encryption key). Also, some metadata (like encryption cipher) is not protected, and an attacker could change it. Note that LUKS2 protects visible metadata only when a random change occurs. It does not protect against intentional modification but such modification must not cause a violation of data confidentiality. Affected versions: The issue is present in all cryptsetup releases since 2.2.0. Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not contain LUKS2 reencryption extension. Fix: The fix introduces additional digest protection of reencryption metadata. The digest is calculated from known keys and critical reencryption metadata. Now an attacker cannot create correct metadata digest without knowledge of a passphrase for used keyslots. For more details, see LUKS2 On-Disk Format Specification version 1.1.0. The former reencryption operation (without the additional digest) is no longer supported (reencryption with the digest is not backward compatible). You need to finish in-progress reencryption before updating to new packages. The alternative approach is to perform a repair command from the updated package to recalculate reencryption digest and fix metadata. The reencryption repair operation always require a user passphrase. An alternative fix is to use the newly introduced configure option --disable-luks2-reencryption to completely disable LUKS2 reencryption code. When used, the libcryptsetup library can read metadata with reencryption code, but all reencryption API calls and cryptsetup reencrypt commands are disabled. Devices with online reencryption in progress cannot be activated. Fixed versions and links: Fixed in cryptsetup 2.4.3 and 2.3.7. https://gitlab.com/cryptsetup/cryptsetup For 2.2.x (no longer supported upstream) the fix backport would be very problematic, the best option is to disable online reencryption. See upstream branch with backported --disable-luks2-reencryption option. https://gitlab.com/cryptsetup/cryptsetup/-/tree/v2.2.x LUKS2 documentation with online reencryption extension https://gitlab.com/cryptsetup/LUKS2-docs Thanks Red Hat security for handling the CVE process. https://access.redhat.com/security/cve/cve-2021-4122 https://bugzilla.redhat.com/show_bug.cgi?id=2032401 The issue was found by Milan Broz as cryptsetup maintainer. --------------------------------------------------------------------- # By Date # # By Thread # Current thread: * CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption crash recovery Milan Broz (Jan 13) [ Nmap | Npcap | Sec Tools | Mailing Lists | Site News | About/ Contact | Advertising | Privacy ] [INS::INS]