Bug 1194469 (CVE-2021-4122)

Summary: VUL-0: CVE-2021-4122: cryptsetup: disabling encryption via header rewrite
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, gianluca.gabrielli, lnussel, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/319782/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-4122:5.9:(AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 7 Gianluca Gabrielli 2022-01-14 13:04:01 UTC

LUKS2 is an on-disk format for disk-encryption configuration with
cryptsetup as the tool for configuration on Linux systems.

LUKS2 online reencryption is an optional extension to allow a user to
change the data reencryption key while the data device is available for
use during the whole reencryption process.

CVE-2021-4122 describes a possible attack against data confidentiality
through LUKS2 online reencryption extension crash recovery.

An attacker can modify on-disk metadata to simulate decryption in
progress with crashed (unfinished) reencryption step and persistently
decrypt part of the LUKS device.

This attack requires repeated physical access to the LUKS device but
no knowledge of user passphrases.

The decryption step is performed after a valid user activates
the device with a correct passphrase and modified metadata.
There are no visible warnings for the user that such recovery happened
(except using the luksDump command). The attack can also be reversed
afterward (simulating crashed encryption from a plaintext) with
possible modification of revealed plaintext.

The size of possible decrypted data depends on configured LUKS2 header
size (metadata size is configurable for LUKS2).
With the default parameters (16 MiB LUKS2 header) and only one
allocated keyslot (512 bit key for AES-XTS), simulated decryption with
checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks),
the maximal decrypted size can be over 3GiB.

The attack is not applicable to LUKS1 format, but the attacker can
update metadata in place to LUKS2 format as an additional step.
For such a converted LUKS2 header, the keyslot area is limited to
decrypted size (with SHA1 checksums) over 300 MiB.

The problem was caused by reusing a mechanism designed for actual
reencryption operation without reassessing the security impact for new
encryption and decryption operations. While the reencryption requires
calculating and verifying both key digests, no digest was needed to
initiate decryption recovery if the destination is plaintext (no
encryption key). Also, some metadata (like encryption cipher) is not
protected, and an attacker could change it. Note that LUKS2 protects
visible metadata only when a random change occurs. It does not protect
against intentional modification but such modification must not cause
a violation of data confidentiality.

Affected versions:

The issue is present in all cryptsetup releases since 2.2.0.
Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not
contain LUKS2 reencryption extension.


The fix introduces additional digest protection of reencryption
metadata. The digest is calculated from known keys and critical
reencryption metadata. Now an attacker cannot create correct metadata
digest without knowledge of a passphrase for used keyslots.
For more details, see LUKS2 On-Disk Format Specification version 1.1.0.

The former reencryption operation (without the additional digest) is no
longer supported (reencryption with the digest is not backward
compatible). You need to finish in-progress reencryption before
updating to new packages. The alternative approach is to perform
a repair command from the updated package to recalculate reencryption
digest and fix metadata.
The reencryption repair operation always require a user passphrase.

An alternative fix is to use the newly introduced configure option
--disable-luks2-reencryption to completely disable LUKS2 reencryption

When used, the libcryptsetup library can read metadata with reencryption
code, but all reencryption API calls and cryptsetup reencrypt commands
are disabled. Devices with online reencryption in progress cannot be

Fixed versions and links:

Fixed in cryptsetup 2.4.3 and 2.3.7.

For 2.2.x (no longer supported upstream) the fix backport would be very
problematic, the best option is to disable online reencryption.
See upstream branch with backported --disable-luks2-reencryption option.

LUKS2 documentation with online reencryption extension

Thanks Red Hat security for handling the CVE process.

The issue was found by Milan Broz as cryptsetup maintainer.
Comment 8 Andreas Stieger 2022-01-14 19:25:33 UTC
Comment 10 Swamp Workflow Management 2022-01-20 20:19:42 UTC
openSUSE-SU-2022:0144-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1194469
CVE References: CVE-2021-4122
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    cryptsetup-2.3.7-150300.3.5.1
Comment 11 Swamp Workflow Management 2022-01-20 20:22:05 UTC
SUSE-SU-2022:0144-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1194469
CVE References: CVE-2021-4122
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    cryptsetup-2.3.7-150300.3.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    cryptsetup-2.3.7-150300.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-06-15 19:14:53 UTC
openSUSE-SU-2022:0144-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194469,1195188
CVE References: CVE-2021-4122,CVE-2022-23959
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    cryptsetup-2.3.7-150300.3.5.1
openSUSE Backports SLE-15-SP4 (src):    varnish-7.1.0-bp154.2.3.1