CVE-2021-4122 A LUKS header can trick cryptsetup into disabling encryption during recovery.

CVE-2021-4122 A LUKS header can trick cryptsetup into disabling encryption during recovery.

The best way to avoid this issue is to always keep the physical security of the medium as tight as possible and to ensure that the device is always in the physical possession of the person who can restore the data onto it. To protect against this, the latest version of cryptsetup supports a new “lock” feature which will prevent the usage of a LUKS header if it has been modified. Users of cryptsetup version 1.7.0 or greater should make sure to enable the “lock” option by running “ cryptsetup --header-lock ” on the LUKS header.

Cryptsetup 1.6.0 and older versions

If a LUKS header has been modified, then cryptsetup will refuse to load it because of the new lock option. For users of cryptsetup 1.6.0 and older versions, make sure that the lock option is enabled by running “ cryptsetup --header-lock ” on the LUKS header.

CVE-2021-4124

The best way to avoid this issue is to always keep the physical security of the medium as tight as possible and to ensure that the device is always in the physical possession of the person who can restore the data onto it. To protect against this, the latest version of cryptsetup supports a new “lock” feature which will prevent the usage of a LUKS header if it has been modified. Users of cryptsetup version 1.7.0 or greater should make sure to enable the “lock” option by running “ cryptsetup --header-lock ” on the LUKS header.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe