Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2021-4122

Published: 13 January 2022

It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.

Notes

AuthorNote
amurray
Vulnerability is in the online re-encryption feature which is only supported by cryptsetup >= 2.2.0
mdeslaur
per upstream, the backport to 2.2 would be very problematic and
it is suggested that the best option is to disable online
reencryption
Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
cryptsetup
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal
Released (2:2.2.2-3ubuntu2.4)
hirsute Ignored
(reached end-of-life)
impish
Released (2:2.3.7-0ubuntu0.21.10.1)
jammy
Released (2:2.4.3-1ubuntu1)
trusty Not vulnerable
(code not present)
upstream
Released (2.4.3,2.3.7)
xenial Not vulnerable
(code not present)
Patches:
upstream: https://gitlab.com/cryptsetup/cryptsetup/-/commit/0113ac2d889c5322659ad0596d4cfc6da53e356c (master)
upstream: https://gitlab.com/cryptsetup/cryptsetup/-/commit/de98f011418c62e7b825a8ce3256e8fcdc84756e (v2.4)
upstream: https://gitlab.com/cryptsetup/cryptsetup/-/commit/60addcffa6794c29dccf33d8db5347f24b75f2fc (v2.3)
upstream: https://gitlab.com/cryptsetup/cryptsetup/-/commit/0fd1c62de9c53958a8ef5d436273284e166254c9 (v2.2 disable)