summaryrefslogtreecommitdiffstats
path: root/docs/v2.3.7-ReleaseNotes
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--docs/v2.3.7-ReleaseNotes95
1 files changed, 95 insertions, 0 deletions
diff --git a/docs/v2.3.7-ReleaseNotes b/docs/v2.3.7-ReleaseNotes
new file mode 100644
index 0000000..5305d6f
--- /dev/null
+++ b/docs/v2.3.7-ReleaseNotes
@@ -0,0 +1,95 @@
+Cryptsetup 2.3.7 Release Notes
+==============================
+Stable security bug-fix release that fixes CVE-2021-4122.
+
+All users of cryptsetup 2.3.x must upgrade to this version.
+
+Changes since version 2.3.6
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Fix possible attacks against data confidentiality through LUKS2 online
+ reencryption extension crash recovery (CVE-2021-4122).
+
+ An attacker can modify on-disk metadata to simulate decryption in
+ progress with crashed (unfinished) reencryption step and persistently
+ decrypt part of the LUKS device.
+
+ This attack requires repeated physical access to the LUKS device but
+ no knowledge of user passphrases.
+
+ The decryption step is performed after a valid user activates
+ the device with a correct passphrase and modified metadata.
+ There are no visible warnings for the user that such recovery happened
+ (except using the luksDump command). The attack can also be reversed
+ afterward (simulating crashed encryption from a plaintext) with
+ possible modification of revealed plaintext.
+
+ The size of possible decrypted data depends on configured LUKS2 header
+ size (metadata size is configurable for LUKS2).
+ With the default parameters (16 MiB LUKS2 header) and only one
+ allocated keyslot (512 bit key for AES-XTS), simulated decryption with
+ checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks),
+ the maximal decrypted size can be over 3GiB.
+
+ The attack is not applicable to LUKS1 format, but the attacker can
+ update metadata in place to LUKS2 format as an additional step.
+ For such a converted LUKS2 header, the keyslot area is limited to
+ decrypted size (with SHA1 checksums) over 300 MiB.
+
+ The issue is present in all cryptsetup releases since 2.2.0.
+ Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not
+ contain LUKS2 reencryption extension.
+
+ The problem was caused by reusing a mechanism designed for actual
+ reencryption operation without reassessing the security impact for new
+ encryption and decryption operations. While the reencryption requires
+ calculating and verifying both key digests, no digest was needed to
+ initiate decryption recovery if the destination is plaintext (no
+ encryption key). Also, some metadata (like encryption cipher) is not
+ protected, and an attacker could change it. Note that LUKS2 protects
+ visible metadata only when a random change occurs. It does not protect
+ against intentional modification but such modification must not cause
+ a violation of data confidentiality.
+
+ The fix introduces additional digest protection of reencryption
+ metadata. The digest is calculated from known keys and critical
+ reencryption metadata. Now an attacker cannot create correct metadata
+ digest without knowledge of a passphrase for used keyslots.
+ For more details, see LUKS2 On-Disk Format Specification version 1.1.0.
+
+ The former reencryption operation (without the additional digest) is no
+ longer supported (reencryption with the digest is not backward
+ compatible). You need to finish in-progress reencryption before
+ updating to new packages. The alternative approach is to perform
+ a repair command from the updated package to recalculate reencryption
+ digest and fix metadata.
+ The reencryption repair operation always require a user passphrase.
+
+ WARNING: Devices with older reencryption in progress can be no longer
+ activated without performing the action mentioned above.
+
+ Encryption in progress can be detected by running the luksDump command
+ (output includes reencrypt keyslot with reencryption parameters). Also,
+ during the active reencryption, no keyslot operations are available
+ (change of passphrases, etc.).
+
+ The issue was found by Milan Broz as cryptsetup maintainer.
+
+Other changes
+~~~~~~~~~~~~~
+* Add configure option --disable-luks2-reencryption to completely disable
+ LUKS2 reencryption code.
+
+ When used, the libcryptsetup library can read metadata with
+ reencryption code, but all reencryption API calls and cryptsetup
+ reencrypt commands are disabled.
+
+ Devices with online reencryption in progress cannot be activated.
+ This option can cause some incompatibilities. Please use with care.
+
+* Improve internal metadata validation code for reencryption metadata.
+
+* Add updated documentation for LUKS2 On-Disk Format Specification
+ version 1.1.0 (with reencryption extension description and updated
+ metadata description). See docs/on-disk-format-luks2.pdf or online
+ version in https://gitlab.com/cryptsetup/LUKS2-docs repository.