A vulnerability (CVE-2021-4122) has been identified in the Cryptsetup package, which is used to encrypt disk partitions in Linux. To exploit the vulnerability, an attacker must have physical access to the encrypted medium, i.e. the method makes sense mainly for attacking encrypted external drives, such as Flash drives, to which the attacker has access, but does not know the password to decrypt the data.
The attack is applicable only for the LUKS2 format and is associated with the manipulation of metadata responsible for activating the "online reencryption" extension, which allows, if necessary, changing the access key to initiate the data re-encryption process on the fly without stopping work with the partition. Since the process of decryption and encryption with a new key takes a long time, "online reencryption" makes it possible not to interrupt work with the partition and perform re-encryption in the background, gradually re-encrypting data from one key to another. In particular, it is possible to select an empty target key, which allows you to translate the section into a decrypted form.
An attacker can make changes to LUKS2 metadata that simulate a decryption crash as a result of a failure and achieve decryption of part of the partition after the owner activates and uses the modified drive. At the same time, the user who connected the modified drive and unlocked it with the correct password does not receive any warning about the process of restoring the interrupted reencryption operation and can learn about the progress of this operation only using the "luks Dump" command. The amount of data an attacker can decrypt depends on the size of the LUKS2 header, but with the default size (16 MiB) it can exceed 3 GB.
The problem is caused by the fact that although reencryption requires calculating and verifying the hashes of the new and old keys, a hash is not required to start decryption if the new state implies the absence of a key for encryption (plaintext). In addition, the LUKS2 metadata that specifies the encryption algorithm is not protected from modification if it falls into the hands of an attacker. To block the vulnerability, the developers added additional metadata protection to LUKS2, for which an additional hash is now checked, calculated based on known keys and metadata content, i.e. an attacker can no longer stealthily change the metadata without knowing the decryption password.
A typical attack scenario requires the attacker to have the opportunity to get their hands on the drive several times. First, the attacker, who does not know the access password, makes changes to the metadata area that initiates the decryption of part of the data at the next activation of the drive. Then the drive is returned to its place and the attacker waits until the user connects it by entering a password. During device activation by the user, a background re-encryption process is started, during which part of the encrypted data is replaced with decrypted data. Further, if an attacker can get their hands on the device again, some of the data on the drive will be in decrypted form.
The issue was identified by the cryptsetup project maintainer and fixed in cryptsetup 2.4.3 and 2.3.7 updates. The status of the generation of updates with the elimination of the problem in distributions can be tracked on these pages: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. The vulnerability appears only starting with the release of cryptsetup 2.2.0, which introduced support for the "online reencryption" operation. As a security workaround, launching with the "--disable-luks2-reencryption" option can be used.
Source: opennet.ru