Ubuntu

publicly exports dm key information

Reported by Martin Pitt on 2010-04-06
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
udisks
Fix Released
High
devicekit-disks (Ubuntu)
Undecided
Unassigned
Karmic
High
Unassigned
Lucid
Undecided
Unassigned
udisks (Debian)
Fix Released
Unknown
udisks (Ubuntu)
High
Martin Pitt
Karmic
Undecided
Unassigned
Lucid
High
Martin Pitt

Bug Description

Binary package hint: udisks

udisks exports the device-mapper table data to udev. This data includes encryption keys.

| E:UDISKS_DM_TARGETS_COUNT=1
| E:UDISKS_DM_TARGETS_TYPE=crypt
| E:UDISKS_DM_TARGETS_START=0
| E:UDISKS_DM_TARGETS_LENGTH=1467585
| E:UDISKS_DM_TARGETS_PARAMS=aes-cbc-essiv:sha256\x20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x200\x208:5\x200

UDISKS_DM_TARGETS_PARAMS includes the complete table entry, in case of the crypt target this includes the key and iv type.

Related branches

CVE References

I committed a test for this, which fails right now:

http://cgit.freedesktop.org/udisks/commit/?id=4670d2edfb615af94bd9d82d8fd12b7cf8d23b9d

======================================================================
FAIL: LUKS create/teardown
----------------------------------------------------------------------
Traceback (most recent call last):
  File "tests/run", line 735, in test_0_create_teardown
    self.failIf('essiv:sha' in out, 'key information in udev properties')
AssertionError: key information in udev properties

(In reply to comment #0)
> So we should drop the key information for UDISKS_DM_TARGETS_TYPE == "crypt" or
> only explicitly set major/minor/offset, and/or not set UDISKS_DM_TARGETS_TYPE
> for anything != "linear".

How about just keeping it for linear mappings for the time being? In the future we can keep it for other device mapper targets as well - for example, we want this data for multipath in order to display state about each path etc. etc. etc.

Before I go and touch any code, I added a new test case which exercises this code path by ensuring that DM partitions (kpartx'ed on a LV) have a correct PartitionSlave property (it involves parsing UDISKS_DM_TARGETS_PARAMS and various DM_* properties). When I disable the UDISKS_DM_TARGETS_PARAMS reading in udisks-part-id, this test case fails.

(In reply to comment #2)
> How about just keeping it for linear mappings for the time being?

Works for me. Now that I have test cases for both ends, I'll work on that tomorrow (bedtime now).

Thanks!

Martin Pitt (pitti) wrote :

Binary package hint: udisks

udisks exports the device-mapper table data to udev. This data includes encryption keys.

| E:UDISKS_DM_TARGETS_COUNT=1
| E:UDISKS_DM_TARGETS_TYPE=crypt
| E:UDISKS_DM_TARGETS_START=0
| E:UDISKS_DM_TARGETS_LENGTH=1467585
| E:UDISKS_DM_TARGETS_PARAMS=aes-cbc-essiv:sha256\x20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x200\x208:5\x200

UDISKS_DM_TARGETS_PARAMS includes the complete table entry, in case of the crypt target this includes the key and iv type.

security vulnerability: no → yes
Changed in udisks (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → High
milestone: none → ubuntu-10.04
status: New → In Progress
Martin Pitt (pitti) wrote :

udisks only needs UDISKS_DM_TARGETS_PARAMS for UDISKS_DM_TARGETS_TYPE == "linear", and is only interested in the major/minor of the device and the offset.

So we should drop the key information for UDISKS_DM_TARGETS_TYPE == "crypt" or only explicitly set major/minor/offset, and/or not set UDISKS_DM_TARGETS_TYPE for anything != "linear".

Changed in udisks (Debian):
status: Unknown → New
Martin Pitt (pitti) wrote :
Changed in udisks (Ubuntu Lucid):
status: In Progress → Fix Committed

David, I think it's worth pushing out an 1.0.1 with this fix (I also made a couple of other fixes in trunk). Or do you want to wait for the CVE to arrive? (Someone requested one, as far as I understood from #udev).

Martin Pitt (pitti) wrote :

Upstream said someone already requested a CVE for this.

Changed in udisks (Ubuntu Karmic):
status: New → Invalid
Changed in devicekit-disks (Ubuntu Lucid):
status: New → Invalid
Martin Pitt (pitti) wrote :

This also affects devicekit-disks in karmic. Earlier Ubuntu releases used hal and did not have {u,dk}-disks yet.

Changed in devicekit-disks (Ubuntu Karmic):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → High
status: New → In Progress
Martin Pitt (pitti) wrote :

Ah, *phew*, I checked karmic, and its dk-disks version is old enough to not yet export TARGETS_PARAMS at all. ./src/devkit-disks-dm-export.c just entirely ignores the "params" return value.

Changed in devicekit-disks (Ubuntu Karmic):
assignee: Martin Pitt (pitti) → nobody
status: In Progress → Invalid
Martin Pitt (pitti) wrote :

$ sudo src/devkit-disks-dm-export 252 0
DKD_DM_NAME=udisks-luks-uuid-fb577f21-6a7e-4891-84d6-dc369073ac34-uid1000
DKD_DM_UUID=CRYPT-LUKS1-fb577f216a7e489184d6dc369073ac34-udisks-luks-uuid-fb577f21-6a7e-4891-84d6-dc369073ac34-uid1000
DKD_DM_STATE=ACTIVE
DKD_DM_TABLE_STATE=LIVE
DKD_DM_OPENCOUNT=1
DKD_DM_LAST_EVENT_NR=0
DKD_DM_MAJOR=252
DKD_DM_MINOR=0
DKD_DM_TARGET_COUNT=1
DKD_DM_TARGET_TYPES=crypt

Changed in udisks (Debian):
status: New → Confirmed

From: Josh Bressers 4/7/10 7:08 PM
Re: [oss-security] CVE Request -- udisks v1.0.0 -- (serious)information disclosure
Please use CVE-2010-1149 for this.
Thanks.
--
   JB

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udisks - 1.0.1-1

---------------
udisks (1.0.1-1) unstable; urgency=high

  Urgency high because of security bug fix.

  [ Michael Biebl ]
  * Build against parted 2.2. (Closes: #574908)
  * debian/control
    - Add dependency on dbus.

  [ Martin Pitt ]
  * New upstream bug fix release:
    - umount.udisks: Exit with return code 0 if the unmount succeeded.
      (LP: #541740)
    - Allow other rules (such as media-player-info) to set a more specific
      presentation icon.
    - Set multimedia-player-ipod icon for iPod media players. (LP: #540235)
    - Stop exporting DM key information. (Closes: #576687, LP: #556651,
      CVE-2010-1149)
    - Fix DM partition table detection.
    - job-drive-benchmark.c: Fix data types in error messages. (LP: #527202)
    - Hide Sony E-Book launcher partition. (LP: #546924)
    - Various test suite improvements.
 -- Martin Pitt <email address hidden> Fri, 09 Apr 2010 18:19:18 +0200

Changed in udisks (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in udisks (Debian):
status: Confirmed → Fix Released

Be careful : with the new update of udisks version 1.0.1-1ubuntu it is impossible to read an internal or usb floppy. The solution is to downgrade udisks to 1.0.1-build1 as I explain here in detail :

http://users.skynet.be/linux-rixensart/1_suite.html#floppy

Lucien

Changed in udisks:
importance: Unknown → High
status: Unknown → Fix Released
Changed in udisks:
importance: High → Unknown
Changed in udisks:
importance: Unknown → High
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.