Vulnerability in cryptsetup Allows Decrypting Part of LUKS2-Encrypted Device

It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device.

Many enterprises, small businesses, and government users need to encrypt their laptops to protect confidential information such as customer details, files, contact information, and much more.

LUKS (Linux Unified Key Setup) is the standard for Linux hard disk encryption and it is transparent to the user as it operates below the filesystem layer. Basically, it is a block device encryption, which means that when a block from disk is read or written the encryption module at kernel level works for us, like a translator.

LUKS  is a part of the cryptsetup package. It stores all setup information in the partition header, enabling the user to transport or migrate his data seamlessly. But sometimes you need to change the master encryption settings on a device.

For this purpose, cryptsetup provides a handy option called reencrypt. Unfortunately, the cryptsetup program turns out to have had a bug, dubbed CVE-2021-4122, in a re-encryption feature. The problem was caused by reusing a mechanism designed for actual re-encryption operation.

An attacker can modify on-disk metadata to simulate decryption in progress with crashed (unfinished) re-encryption step and persistently decrypt part of the LUKS device.

This attack requires repeated physical access to the LUKS device but no knowledge of user passphrases. The decryption step is performed after a valid user activates the device with a correct passphrase and modified metadata. There are no visible warnings for the user that such recovery happened. The attack can also be reversed afterward with possible modification of revealed plaintext.

The process is:

  1. Attacker gets physical access to the hard drive (PC/Laptop) and modify the header.
  2. User need to decrypt, which decrypting the modified header.
  3. The attacker needs to get access again to drive to read plaintext data.

To put it simple: someone with physical access to the disk could deceive the re-encryption tool into thinking that it was part-way through a decrypt-only procedure, and therefore trick the LUKS software into decrypting part of the disk and leaving it unencrypted.

Vulnerable Versions & Fixes

The issue is present in all cryptsetup releases since 2.2.0. Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not contain LUKS2 re-encryption extension.

Fortunately, the vulnerability was quickly fixed with the release of new versions of cryptsetup-2.4.3 and crypsetup-2.3.7. So if you use cryptsetup for full-disk encryption, please update ASAP to remove the threat addressed in the CVE-2021-4122.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.