Unprivileged user can access LUKS keyfile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
initramfs-tools (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
lubuntu-meta (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Lubuntu 19.04 and newer uses Calamares as installer. During the installation, the user can choose to encrypt the entire disk (Full Disk Encryption FDE). Calamares creates an LUKS container (and an EFI-System-
When booting, Grub asks for the passphrase to unlock the LUKS container. For convenience, there is the keyfile "/crypto_
An unprivileged user can't copy or read the keyfile. But the keyfile is also in the initrd.img.
Attack:
Even an unprivileged user has read-access to the initrd.img under /boot, so the attacker can execute:
(1) $ unmkinitramfs /boot/initrd.
(2) $ cp /tmp/initrd/
DREAD (LOW = 1, MEDIUM = 2, HIGH = 3):
Damage: HIGH => This attack allows to get the keyfile
Reproducibility: HIGH => Works every time with access to the system
Exploitability: LOW/MEDIUM => You must have access to a shell and the unencrypted device (maybe in combination with another vulnerability)
Affected users: MEDIUM => Every user which uses Lubuntu 19.04 and newer in combination with FDE, maybe also other users
Discoverability: HIGH => The origin of this bug report is publicly logged: https:/
DREAD-Rating: 12/13 of 15
information type: | Private Security → Public Security |