Encrypted LUKS disks store passphrase plaintext in memory

Bug #196368 reported by Mark Featherston on 2008-02-28
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned

Bug Description

To test this, run "sudo cat /dev/mem | strings | grep firstfewcharsofpassphrase" and eventually the entire string will turn up. I've only tested this in hardy, but I expect it is also present in Gutsy. My roomate running Gentoo with LUKS also has this problem, while another roomate using gentoo and truecrypt did not.

trollord (trollenlord) wrote :

Tested myself, can confirm this one. This is bad especially because of this: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html and because of that storing the passphrase itself is not required for the encryption to work.. Better approach would be to store just (salted) hash (which is used for the md encryption module anyways). It makes at least finding the real key harder.

nullack (nullack) wrote :

I tried this on Intrepid pre alpha and found I cant execute that command:

cat: /dev/mem: Operation not permitted

I just updated my intrepid machine on virtualbox and it allowed me to do cat /dev/mem, make sure you are doing it as root. But even if intrepid is stopping the user from running the command, then it still won't stop someone from rebooting the machine and putting in a cd with a minimal memory footprint and dumping strings from memory to get the passphrase.

affects: ubuntu → linux (Ubuntu)
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? It will allow additional upstream developers to examine the issue. Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the release candidate kernel versus the daily build. Once you've tested the upstream kernel, please remove the 'needs-upstream-testing' tag(Only that one tag, please leave the others). This can be done by clicking on the yellow pencil icon next to the tag located at the bottom of the bug description and deleting the 'needs-upstream-testing' text.

If this bug is fixed by the mainline kernel, please add the following tag 'kernel-fixed-upstream-KERNEL-VERSION'. For example, if kernel version 3.1-rc9 fixed and issue, the tag would be: 'kernel-fixed-upstream-v3.1-rc9'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

tags: added: needs-upstream-testing

Mark Featherston, this bug was reported a while ago and there hasn't been any activity in it recently. We were wondering if this is still an issue? If so, could you please test for this with the latest development release of Ubuntu? ISO images are available from http://cdimage.ubuntu.com/daily-live/current/ .

If it remains an issue, could you please run the following command in the development release from a terminal, as it will automatically gather and attach updated debug information to this report:

apport-collect -p linux REPLACE-WITH-BUG-NUMBER

If reproducible, could you also please test the latest upstream kernel available from the very top line at the top of the page (not the daily folder) following https://wiki.ubuntu.com/KernelMainlineBuilds ? It will allow additional upstream developers to examine the issue. Once you've tested the upstream kernel, please comment on which kernel version specifically you tested. If this bug is fixed in the mainline kernel, please add the following tags:
kernel-fixed-upstream
kernel-fixed-upstream-VERSION-NUMBER

where VERSION-NUMBER is the version number of the kernel you tested exactly shown as:
kernel-fixed-upstream-3.17

This can be done by clicking on the yellow circle with a black pencil icon next to the word Tags located at the bottom of the bug description.

If the mainline kernel does not fix this bug, please add the following tags:
kernel-bug-exists-upstream
kernel-bug-exists-upstream-VERSION-NUMBER

Once testing of the upstream kernel is complete, please mark this bug's Status as Confirmed. Please let us know your results. Thank you for your understanding.

tags: added: hardy
removed: disk encrypted luks
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers