The best way to avoid this issue is to always keep the physical security of the medium as tight as possible and to ensure that the device is always in the physical possession of the person who can restore the data onto it. To protect against this, the latest version of cryptsetup supports a new “lock” feature which will prevent the usage of a LUKS header if it has been modified. Users of cryptsetup version 1.7.0 or greater should make sure to enable the “lock” option by running “ cryptsetup --header-lock ” on the LUKS header.
Cryptsetup 1.6.0 and older versions
If a LUKS header has been modified, then cryptsetup will refuse to load it because of the new lock option. For users of cryptsetup 1.6.0 and older versions, make sure that the lock option is enabled by running “ cryptsetup --header-lock ” on the LUKS header.
CVE-2021-4124
The best way to avoid this issue is to always keep the physical security of the medium as tight as possible and to ensure that the device is always in the physical possession of the person who can restore the data onto it. To protect against this, the latest version of cryptsetup supports a new “lock” feature which will prevent the usage of a LUKS header if it has been modified. Users of cryptsetup version 1.7.0 or greater should make sure to enable the “lock” option by running “ cryptsetup --header-lock ” on the LUKS header.
Timeline
Published on: 08/24/2022 16:15:00 UTC
Last modified on: 08/29/2022 14:28:00 UTC
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2031859
- https://bugzilla.redhat.com/show_bug.cgi?id=2032401
- https://access.redhat.com/security/cve/CVE-2021-4122
- https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes
- https://gitlab.com/cryptsetup/cryptsetup/-/commit/0113ac2d889c5322659ad0596d4cfc6da53e356c
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4122