Unprivileged user can access LUKS keyfile

Bug #1835096 reported by apt-ghetto on 2019-07-02
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
initramfs-tools (Ubuntu)
Undecided
Unassigned
lubuntu-meta (Ubuntu)
Undecided
Unassigned

Bug Description

Lubuntu 19.04 and newer uses Calamares as installer. During the installation, the user can choose to encrypt the entire disk (Full Disk Encryption FDE). Calamares creates an LUKS container (and an EFI-System-Partition, when needed).

When booting, Grub asks for the passphrase to unlock the LUKS container. For convenience, there is the keyfile "/crypto_keyfile.bin" (600, root:root) which will be used later to unlock the LUKS container again.

An unprivileged user can't copy or read the keyfile. But the keyfile is also in the initrd.img.

Attack:
Even an unprivileged user has read-access to the initrd.img under /boot, so the attacker can execute:
(1) $ unmkinitramfs /boot/initrd.img-5.0.0.20-generic /tmp/initrd
(2) $ cp /tmp/initrd/main/crypto_keyfile.bin ~

DREAD (LOW = 1, MEDIUM = 2, HIGH = 3):
Damage: HIGH => This attack allows to get the keyfile
Reproducibility: HIGH => Works every time with access to the system
Exploitability: LOW/MEDIUM => You must have access to a shell and the unencrypted device (maybe in combination with another vulnerability)
Affected users: MEDIUM => Every user which uses Lubuntu 19.04 and newer in combination with FDE, maybe also other users
Discoverability: HIGH => The origin of this bug report is publicly logged: https://irclogs.ubuntu.com/2019/07/02/%23lubuntu.html#t10:26

DREAD-Rating: 12/13 of 15

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers