Encrypted LUKS disks store passphrase plaintext in memory

Reported by Mark Featherston on 2008-02-28
Affects Status Importance Assigned to Milestone
linux (Ubuntu)

Bug Description

To test this, run "sudo cat /dev/mem | strings | grep firstfewcharsofpassphrase" and eventually the entire string will turn up. I've only tested this in hardy, but I expect it is also present in Gutsy. My roomate running Gentoo with LUKS also has this problem, while another roomate using gentoo and truecrypt did not.

trollord (trollenlord) wrote :

Tested myself, can confirm this one. This is bad especially because of this: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html and because of that storing the passphrase itself is not required for the encryption to work.. Better approach would be to store just (salted) hash (which is used for the md encryption module anyways). It makes at least finding the real key harder.

nullack (nullack) wrote :

I tried this on Intrepid pre alpha and found I cant execute that command:

cat: /dev/mem: Operation not permitted

I just updated my intrepid machine on virtualbox and it allowed me to do cat /dev/mem, make sure you are doing it as root. But even if intrepid is stopping the user from running the command, then it still won't stop someone from rebooting the machine and putting in a cd with a minimal memory footprint and dumping strings from memory to get the passphrase.

affects: ubuntu → linux (Ubuntu)
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? It will allow additional upstream developers to examine the issue. Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the release candidate kernel versus the daily build. Once you've tested the upstream kernel, please remove the 'needs-upstream-testing' tag(Only that one tag, please leave the others). This can be done by clicking on the yellow pencil icon next to the tag located at the bottom of the bug description and deleting the 'needs-upstream-testing' text.

If this bug is fixed by the mainline kernel, please add the following tag 'kernel-fixed-upstream-KERNEL-VERSION'. For example, if kernel version 3.1-rc9 fixed and issue, the tag would be: 'kernel-fixed-upstream-v3.1-rc9'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

tags: added: needs-upstream-testing
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers