Linux admins urged to patch full-disk encryption bug that allows decryption without a password

Linux admins advised to patch full-disk encryption bug that allows decryption without password

Image:

Linux admins advised to patch full-disk encryption bug that allows decryption without password

The issue affects LUKS 2.2.0 and later

Linux admins have been urged to patch a high-risk, full-disk encryption (FDE) vulnerability impacting Linux Unified Key Setup (LUKS) encryption software and its crytpsetup programme, which could allow an attacker with physical access to a system to decrypt data on the machine without using a password.

The issue, indexed as CVE-2021-4122, impacts LUKS 2.2.0 and later, according to Milan Broz, a cryptsetup administrator, who was credited for discovering the bug.

LUKS provides FDE of Linux systems and also makes it possible to re-encrypt an already encrypted system, using the cryptsetup tool, which is widely used to manage Linux FDE.

The 'reencrypt' option in LUKS2 enables users to decrypt, encrypt and re-encrypt data even when the system is in use.

The FDE bug in cryptsetup allows an attacker with physical access to the system and with no password knowledge to modify the LUKS2 metadata on the disk to simulate the decryption of the disk. Using the bug, the attacker can make it appear that re-encryption was aborted during the process, and then can decrypt a portion of the disk encrypted via LUKS.

Throughout the entire process, the device will look normal and will continue to decrypt without warning after a real user enters a valid password.

While the user believes that the data on the disk is still encrypted, it is actually partially decrypted.

After the decryption process is complete, the attacker would have to access the device again to collect the decrypted data. However, this would not require the real user to log in first, as the decrypted data is already directly accessible.

In this way, an attacker can exfiltrate gigabytes of data, without the user knowing.

"The attack can also be reversed afterward (simulating crashed encryption from a plaintext) with possible modification of revealed plaintext," Paul Ducklin of Sophos warned in a blog post.

"What this means is that a malevolent user could silently decrypt parts of a disk, for example on a server, without the password, quietly modify the decrypted data while it was in plaintext form - thanks to the lack of integrity protection in plaintext mode - and then seamlessly and surreptitiously re-encrypt and 're-integrify' the data later on."

The issue exists in cryptsetup releases since version 2.2.0. Versions 1.x, 2.0.x, and 2.1.x are not affected, as they do not use the LUKS2 re-encryption extension.

Fixed versions are cryptsetup 2.4.3 and 2.3.7, which protect re-encryption metadata with a signature that nobody can forge without knowing the password.