[pkg-cryptsetup-devel] Security issue (CVE-2021-4122) in cryptsetup 2:2.3.5-1

Yves-Alexis Perez corsac at debian.org
Thu Feb 10 15:43:21 GMT 2022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 2022-02-10 at 15:54 +0100, Yves-Alexis Perez wrote:
> Yeah no problem, I'll craft something from the various sources :)

Here's a draft text, heavily reusing bits from Milan advisory. Reviews and
comments appreciated :)

CVE-2021-4122

    Milan Broz, its maintainer, discovered an issue in cryptsetup, the disk
    encryption configuration tool for Linux.
    
    LUKS2 (an on-disk format) online reencryption is an optional extension to
    allow a user to change the data reencryption key while the data device is
    available for use during the whole reencryption process.
    
    An attacker can modify on-disk metadata to simulate decryption in progress
    with crashed (unfinished) reencryption step and persistently decrypt part
    of the LUKS2 device.
    
    This attack requires repeated physical access to the LUKS2 device but no
    knowledge of user passphrases.
    
    The decryption step is performed after a valid user activates the device
    with a correct passphrase and modified metadata.
    
    The size of possible decrypted data per attack step depends on configured
    LUKS2 header size (metadata size is configurable for LUKS2). With the
    default LUKS2 parameters (16 MiB header) and only one allocated keyslot
    (512 bit key for AES-XTS), simulated decryption with checksum resilience
    SHA1 (20 bytes checksum for 4096-byte blocks), the maximal decrypted size
    can be over 3GiB.
    
    The attack is not applicable to LUKS1 format, but the attacker can update
    metadata in place to LUKS2 format as an additional step. For such a
    converted LUKS2 header, the keyslot area is limited to decrypted size
(with
    SHA1 checksums) over 300 MiB.
    
    On Debian default configurations the installer uses the LUKS1 format.

Key truncation in dm-integrity

    This update additionaly fixes a key truncation issue for standalone
    dm-integrity devices using HMAC integrity protection. For existing such
    devices with extra long HMAC keys (typically >106 bytes of length), one
    might need to manually truncate the key using integritysetup(8)'s
    `--integrity-key-size` option in order to properly map the device under
    2:2.3.7-1+deb11u1 and later.
  
    Only standalone dm-integrity devices are affected. dm-crypt devices,
    including those using authenticated disk encryption, are unaffected.


- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmIFMpkACgkQ3rYcyPpX
RFttYAgAi/MrDQbZtpEV18pou9Uky4LPyJWCWaxWn9Hm6POlBylZw1Wt9mwbyESr
sZdxK0oV6tk9K3IsY6u5FO1T5Igr/XtlOAH1E1wYG3AdGOjcttlicfW3INgbPsuy
1Ql4aByqVXAn9/vUFXvt1Jmy9M6YQTHLfHolU/jHc5KheCAjv5S/RXbkQOiKtDTd
cqWV+Sal8KSZmB5HkQ4o7UI03ySt2T6JlyYmoRAm+ThEyLi02zrJv7Om1UM4Jb9z
8LyPF1Ws2HIT51Ikv6jqy4lBPTbUuIk5xspqNrH/MFrqubt/JwO/uYmVIk4fh5Z2
CGt16BYHPsztMPjr7SkUtU+GZ/xKjA==
=5V9t
-----END PGP SIGNATURE-----

More information about the pkg-cryptsetup-devel mailing list