119 lines
4.5 KiB
Text
119 lines
4.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-15:08.bsdinstall Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Insecure default GELI keyfile permissions
|
|
|
|
Category: core
|
|
Module: bsdinstall
|
|
Announced: 2015-04-07
|
|
Credits: Pierre Kim
|
|
Affects: FreeBSD 10.1.
|
|
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
|
|
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
|
|
CVE Name: CVE-2015-1415
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The GEOM ELI class, or geli(8) implements encryption on GEOM providers which
|
|
supports various cryptographic encryption and authentication methods as
|
|
well as hardware acceleration. Each geli(8) provider has two key slots,
|
|
and each slot holds a copy of its master key encrypted by a keyfile and/or
|
|
a passphrase chosen by the system administrator.
|
|
|
|
The bsdinstall(8) installer is the default system installer of FreeBSD since
|
|
FreeBSD 10.0-RELEASE.
|
|
|
|
II. Problem Description
|
|
|
|
The default permission set by bsdinstall(8) installer when configuring full
|
|
disk encrypted ZFS is too open.
|
|
|
|
III. Impact
|
|
|
|
A local attacker may be able to get a copy of the geli(8) provider's
|
|
keyfile which is located at a fixed location.
|
|
|
|
IV. Solution
|
|
|
|
Note well: due to the nature of this issue, there is no way to fix this
|
|
issue for already installed systems without human intervention. System
|
|
administrators are advised to assume that the keyfile have already been
|
|
leaked and a new keyfile is necessary.
|
|
|
|
The system administrator can create a new keyfile with the correct
|
|
permissions, and change the key slot that holds the master key encrypted
|
|
with the old keyfile.
|
|
|
|
For example, if the GELI provider is /dev/ada0, the system administrator
|
|
can do the following:
|
|
|
|
# umask 077
|
|
# dd if=/dev/random of=/boot/encryption.key.new bs=4096 count=1
|
|
# umask 022
|
|
# geli setkey -K /boot/encryption.key.new /dev/ada0p3
|
|
Enter new passphrase:
|
|
Reenter new passphrase:
|
|
|
|
(Repeat the geli setkey command if multiple providers are used)
|
|
|
|
# mv /boot/encryption.key.new /boot/encryption.key
|
|
# ls -l /boot/encryption.key
|
|
|
|
Make sure that the new /boot/encryption.key can only be read by root.
|
|
|
|
The FreeBSD stable and security branch (releng) and the changes are mainly
|
|
intended for system integrators who build their own installation image for
|
|
new installations.
|
|
|
|
V. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r281230
|
|
releng/10.1/ r281232
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VI. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:08.bsdinstall.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.2 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rntF0P/0vVZ6W5xpIAm5K7eS184GaJ
|
|
TuQ0E5XdqH1i6smYxAwUHtINFmAJ11cv+KwAbwFwazdB9jy4def6kwBZ/PE1y1M9
|
|
OGi/JD3RghL0RrrrIzADVz5Z4Hi401BmLN7aOW9REX75/o82XqGXTRlDmow5z22D
|
|
/B4NRNQ0p6cwmwh179HHuJPgQsDmL3mBkgn4oMv1036q9VjP5V/b+i2Ja/I6oCa/
|
|
ZJhdEg17P9ek6GBna/fV7yo1Cr+A7v9aSUFcN9E8VqoWGn06jO0sLjWCC9Lrc6sZ
|
|
KAgFbxNuPW/eZOE447DIu9jrgE8xxBFn6skeW81jsPsT4FsF/7KWG+dxBOa9XxOH
|
|
XQTzc9sx3tsRVUzEBUGHRpPh/ZbkqtqQ5MYrAYk66NJ1NFqbrhY08mqzOd4+Sr7a
|
|
CUMV/1vD0pCRME8bgIVupKciIw9y6QYWo2Gm+BJIqAw7L8EaEhaN7nnBxDbRehlj
|
|
PdRYxHO4aQLIxdaV4dtDx3SX+njRxyVP/0OOSVQz1laiKadsRO2YQe+IhVoFhU5v
|
|
fLSoBI+8mX8Sc65UasqsuNXC3G2c6XXKkLBCYzmL90R2pwPtxbQRTDVGMmG9fyyc
|
|
b4w+yindLcwKXxKJryQWswAbv6hBQunAoCaVsqiIdF2N9Psrlr3FhkU//JbvrxA1
|
|
COcciZEksTS0JwEpOGi5
|
|
=wg1b
|
|
-----END PGP SIGNATURE-----
|