From: Ondrej Kozina <okozina@redhat.com>
To: dm-crypt@saout.de
Cc: Christoph Anton Mitterer <calestyo@scientia.net>
Subject: [dm-crypt] Re: cryptsetup 2.4.3 (CVE-2021-4122 fix)
Date: Fri, 14 Jan 2022 12:18:46 +0100 [thread overview]
Message-ID: <63ddbca1-6d16-1a90-440c-f7f89d1367a1@redhat.com> (raw)
In-Reply-To: <c4bb84c7f13521651e124fa01e926c3a8d7d7301.camel@scientia.net>
Hi Christoph,
On 13. 01. 22 19:24, Christoph Anton Mitterer wrote:
> Hey.
>
>
> On Thu, 2022-01-13 at 11:05 +0100, Milan Broz wrote:
>> An attacker can modify on-disk metadata to simulate decryption in
>> progress with crashed (unfinished) reencryption step and
>> persistently
>> decrypt part of the LUKS device.
>
> Just for my understanding...
>
> 1) Wouldn't that then cause complete decryption? I.e. cryptsetup sees
> that re-encrypt (to plain text) was allegedly aborted at block XYZ...
> and then re-encrypts (to plain text) from there on the whole device?
Not without user manual intervention. Currently, the reencryption
operation can not be resumed unless user directly issue "cryptsetup
reencrypt" command (applies to both fixed and vulnerable cryptsetups).
And it would require user to provide proper passphrase. Since it
requires user's manual input it gives user also space to verify the
state of LUKS2 metadata with e.g. luksDump command before triggering the
command.
On the other hand, the vulnerability primarily targets LUKS2
reencryption auto-recovery feature. Auto-recovery takes place in two
scenarios:
a) cryptsetup repair command (again manual intervention with interactive
query and passphrase prompt)
b) LUKS2 device activation e.g. during system boot.
Let's focus on b) a little:
The LUKS2 reencryption was designed in a way that even if the operation
is interrupted forcefully (system crash/power failure) the system should
be able to recover from it automatically. So the recovery from
reencryption crash is seamless provided user knows passphrase.
In corner case, when device is small enough to fit limits disclosed in
the vulnerability report (and LUKS2 spare metadata space allows it) the
auto-recovery may actually finish the decryption process (in one step).
>
> 2) And shouldn't that fail then next time, the device is opened?
Only if user willingly resumes reencryption or in corner case described
above. Yes in that case the device activation would fail because there
are no VK stored in remaining LUKS2 header stub.
Anyway, an attacker could easily avoid this scenario but forging the
LUKS2 metadata in a way that at least single sector remains encrypted.
> Either because it was completely transformed to plain text, while some
> encryption is expected...
above
or because an attack started only e.g. at
> half o the blocks, but then one half is encrypted and the other not?
Nope, in this case device would activate just fine, part of the device
encrypted and part plaintext (multi segment device-mapper device).
Otherwise we would be unable to activate partially decrypted devices due
to interruption. Same applies to devices in encryption or reencryption.
>
> 3) Would it also have been possible, to re-encrypt with another key?
In
> other words, is the new key written to some extra header area... or is
> it rather just some new keyslot, encrypted with a passphrase, and thus
> that would have been (hopefully) noticed when "resuming" re-encryption,
> and the passphrase doesn't match (respectively the legit user cannot
> unlock the keylslot)?
Ransomware attack is not possible provided attacker does not know valid
passphrase or VK, if that's what you're asking:
Yes, attacker can add new unbound LUKS2 keyslot (with key not assigned
to current encrypted segment), but he does not know proper passphrase
(P_OK) to one of existing keyslots (with valid VK). So the keyslot is
protected by different passphrase P_X.
So attacker can forge such LUKS2 metadata, add new LUKS2 keyslot but the
attack itself would not trigger properly during auto-recovery or even
manual cryptsetup reencrypt command. Reencryption requires all necessary
VKs unlocked to properly resume or perform recovery.
>
>
>> The attack is not applicable to LUKS1 format, but the attacker can
>> update metadata in place to LUKS2 format as an additional step.
>
> Shouln't "all" (at least as far as possible) of the header be secured
> by some MAC or so, so that cryptsetup would abort before opening, when
> something seems fishy?
That would not be possible with LUKS2 format, or better say with current
version of API of libcryptsetup. If the whole header was to be protected
by MAC it would require complete rework of API which would not be
backward compatible. It would probably be LUKS3 format/library.
Also, just for LUKS2 reencryption, it would completely kill the
performance of the operation. During LUKS2 reencryption the json
metadata area gets updated quite often (twice per single reencryption
step which is typically ~100MiBs of data reencrypteed with checksum
resilience mode). If we calculated authentication digest (time expensive
operation) in each step twice it would not go fast.
Kind regards
Ondrej
>
> Not just with respect to re-encryption, but also e.g. which header
> version is used, or settings like whether DISCARD shall be used (which
> may have some security impact)?
>
>
> Thanks,
> Chris.
> _______________________________________________
> dm-crypt mailing list -- dm-crypt@saout.de
> To unsubscribe send an email to dm-crypt-leave@saout.de
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de
next prev parent reply other threads:[~2022-01-14 11:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-13 10:05 [dm-crypt] [ANNOUNCE] cryptsetup 2.4.3 (CVE-2021-4122 fix) Milan Broz
2022-01-13 18:24 ` [dm-crypt] " Christoph Anton Mitterer
2022-01-14 11:18 ` Ondrej Kozina [this message]
2022-01-15 4:06 ` Christoph Anton Mitterer
2022-01-17 11:05 ` Ondrej Kozina
2022-01-24 20:50 ` Christoph Anton Mitterer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=63ddbca1-6d16-1a90-440c-f7f89d1367a1@redhat.com \
--to=okozina@redhat.com \
--cc=calestyo@scientia.net \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).