Kusagadzikana (CVE-2021-4122) kwaonekwa muCrypsetup package, inoshandiswa encrypt disk partitions muLinux, iyo inobvumira encryption kudzimwa pazvikamu muLUKS2 (Linux Unified Key Setup) fomati nekugadzirisa metadata. Kuti ashandise kusazvibata, anorwisa anofanira kunge aine ruzivo rwemuviri kune yakavharidzirwa midhiya, i.e. Iyo nzira ine musoro kunyanya yekurwisa yakavharidzirwa ekunze ekuchengetedza zvigadziriso, senge Flash drives, iyo anorwisa anogona kuwana asi asingazive password yekubvisa iyo data.
Kurwiswa uku kunoshanda chete kune iyo LUKS2 fomati uye inosanganiswa nekushandiswa kwemetadata ine basa rekuita iyo "online reencryption" yekuwedzera, iyo inobvumira, kana zvichidikanwa kushandura kiyi yekupinda, kutanga maitiro e data reencryption panhunzi. pasina kumisa basa nekuparadzanisa. Sezvo maitiro ekudzima uye encryption nekiyi nyowani inotora nguva yakawanda, "online reencryption" inoita kuti zvibvirire kusakanganisa basa nekupatsanura uye kuita re-encryption kumashure, zvishoma nezvishoma re-encryption data kubva kune imwe kiyi kuenda kune imwe. . Izvo zvakare zvinogoneka kusarudza isina chinhu chinangwa kiyi, iyo inobvumidza iwe kushandura chikamu kuita decrypted fomu.
Anorwisa anogona kuita shanduko kune LUKS2 metadata inoteedzera kubvisa kweiyo decryption oparesheni semhedzisiro yekutadza uye kuwana decryption yechikamu chechikamu mushure mekuita uye kushandiswa kweiyo yakagadziridzwa drive nemuridzi. Muchiitiko ichi, mushandisi akabatanidza dhiraivha yakagadziridzwa uye akaivhura nepassword chaiyo haagamuchire chero yambiro nezve maitiro ekudzoreredza akavhiringika reencryption oparesheni uye anogona kungoziva nezve kufambira mberi kwebasa iri uchishandisa "luks Dump" command. Huwandu hwedata hunogona kubviswa neanorwisa hunoenderana nehukuru hwemusoro weLUKS2, asi pasaizi yakasarudzika (16 MiB) inogona kudarika 3 GB.
Dambudziko rinokonzerwa nenyaya yekuti kunyangwe kudzokororwa zvakare kuchida kuverengera nekusimbisa makiyi matsva neakare makiyi, hashi haidiwe kutanga decryption kana iyo nyika nyowani ichireva kusavapo kwekiyi yekunyorera. Uye zvakare, iyo LUKS2 metadata, iyo inotsanangura iyo encryption algorithm, haina kuchengetedzwa kubva pakushandurwa kana ikawira mumaoko eanorwisa. Kuti vadzivise kusagadzikana, vagadziri vakawedzera dziviriro yemetadata kuLUKS2, iyo imwe hashi ikozvino yakatariswa, inoverengerwa zvichienderana nemakiyi anozivikanwa uye metadata zvirimo, i.e. munhu anorwisa haachakwanise kushandura metadata achivanda asingazive iyo decryption password.
Chimiro chekurwisa chinoda kuti munhu anorwisa akwanise kuisa maoko ake padhiraivha kakawanda. Chekutanga, munhu anorwisa asingazivi password yekupinda anoita shanduko kunzvimbo yemetadata, zvichikonzeresa decryption yechikamu che data nguva inotevera iyo drive inogadziriswa. Iyo drive inozodzoserwa kunzvimbo yayo uye anorwisa anomirira kusvika mushandisi aibatanidza nekuisa password. Kana mudziyo uchinge waitwa nemushandisi, yekumashure-encryption process inotangwa, panguva iyo chikamu cheiyo encrypted data inotsiviwa nedecrypted data. Kupfuurirazve, kana anorwisa akakwanisa kuisa maoko ake pachishandiso zvakare, imwe yedata iri padhiraivha ichave iri mudecrypted fomu.
Dambudziko rakaonekwa ne cryptsetup project muchengeti uye yakagadziriswa mu cryptsetup 2.4.3 uye 2.3.7 updates. Mamiriro ekugadzirisa ari kugadzirwa kugadzirisa dambudziko mukugovera anogona kuteverwa pamapeji aya: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. Kusagadzikana kunongoonekwa kubva pakaburitswa cryptsetup 2.2.0, iyo yakaunza rutsigiro rwe "online reencryption" mashandiro. Sechishandiso chekudzivirira, kutanga ne "--disable-luks2-reencryption" sarudzo inogona kushandiswa.
Source: opennet.ru