[pkg-cryptsetup-devel] Bug#1003686: CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption crash recovery

[Guilhem Moulin]

Source: cryptsetup
Severity: grave
Tags: security upstream
Justification: root security hole
Control: found -1 2:2.3.5-1
Control: found -1 2:2.4.2-1
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Quoting <https://seclists.org/oss-sec/2022/q1/34>:

| CVE-2021-4122 describes a possible attack against data confidentiality
| through LUKS2 online reencryption extension crash recovery.
| 
| An attacker can modify on-disk metadata to simulate decryption in
| progress with crashed (unfinished) reencryption step and persistently
| decrypt part of the LUKS device.
| 
| This attack requires repeated physical access to the LUKS device but
| no knowledge of user passphrases.
| 
| The decryption step is performed after a valid user activates
| the device with a correct passphrase and modified metadata.
| There are no visible warnings for the user that such recovery happened
| (except using the luksDump command). The attack can also be reversed
| afterward (simulating crashed encryption from a plaintext) with
| possible modification of revealed plaintext.
| […]
| The issue was found by Milan Broz as cryptsetup maintainer.

Upstream fixes:

  2.3 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/60addcffa6794c29dccf33d8db5347f24b75f2fc
  2.4 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/de98f011418c62e7b825a8ce3256e8fcdc84756e

Buster and earlier are not affected since their respective
(lib)cryptsetup don't support LUKS2 online reencryption.  I'll provide a
debdiff for bullseye-security.

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20220113/1f9574c0/attachment.sig>