Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0901 Insecure default GELI keyfile permissions 8 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: bsdinstall Publisher: FreeBSD Operating System: FreeBSD Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-1415 Original Bulletin: https://security.FreeBSD.org/advisories/FreeBSD-SA-15:08.bsdinstall.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:08.bsdinstall Security Advisory The FreeBSD Project Topic: Insecure default GELI keyfile permissions Category: core Module: bsdinstall Announced: 2015-04-07 Credits: Pierre Kim Affects: FreeBSD 10.1. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) CVE Name: CVE-2015-1415 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The GEOM ELI class, or geli(8) implements encryption on GEOM providers which supports various cryptographic encryption and authentication methods as well as hardware acceleration. Each geli(8) provider has two key slots, and each slot holds a copy of its master key encrypted by a keyfile and/or a passphrase chosen by the system administrator. The bsdinstall(8) installer is the default system installer of FreeBSD since FreeBSD 10.0-RELEASE. II. Problem Description The default permission set by bsdinstall(8) installer when configuring full disk encrypted ZFS is too open. III. Impact A local attacker may be able to get a copy of the geli(8) provider's keyfile which is located at a fixed location. IV. Solution Note well: due to the nature of this issue, there is no way to fix this issue for already installed systems without human intervention. System administrators are advised to assume that the keyfile have already been leaked and a new keyfile is necessary. The system administrator can create a new keyfile with the correct permissions, and change the key slot that holds the master key encrypted with the old keyfile. For example, if the GELI provider is /dev/ada0, the system administrator can do the following: # umask 077 # dd if=/dev/random of=/boot/encryption.key.new bs=4096 count=1 # umask 022 # geli setkey -K /boot/encryption.key.new /dev/ada0p3 Enter new passphrase: Reenter new passphrase: (Repeat the geli setkey command if multiple providers are used) # mv /boot/encryption.key.new /boot/encryption.key # ls -l /boot/encryption.key Make sure that the new /boot/encryption.key can only be read by root. The FreeBSD stable and security branch (releng) and the changes are mainly intended for system integrators who build their own installation image for new installations. V. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - ------------------------------------------------------------------------- stable/10/ r281230 releng/10.1/ r281232 - - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VI. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:08.bsdinstall.asc> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rntF0P/0vVZ6W5xpIAm5K7eS184GaJ TuQ0E5XdqH1i6smYxAwUHtINFmAJ11cv+KwAbwFwazdB9jy4def6kwBZ/PE1y1M9 OGi/JD3RghL0RrrrIzADVz5Z4Hi401BmLN7aOW9REX75/o82XqGXTRlDmow5z22D /B4NRNQ0p6cwmwh179HHuJPgQsDmL3mBkgn4oMv1036q9VjP5V/b+i2Ja/I6oCa/ ZJhdEg17P9ek6GBna/fV7yo1Cr+A7v9aSUFcN9E8VqoWGn06jO0sLjWCC9Lrc6sZ KAgFbxNuPW/eZOE447DIu9jrgE8xxBFn6skeW81jsPsT4FsF/7KWG+dxBOa9XxOH XQTzc9sx3tsRVUzEBUGHRpPh/ZbkqtqQ5MYrAYk66NJ1NFqbrhY08mqzOd4+Sr7a CUMV/1vD0pCRME8bgIVupKciIw9y6QYWo2Gm+BJIqAw7L8EaEhaN7nnBxDbRehlj PdRYxHO4aQLIxdaV4dtDx3SX+njRxyVP/0OOSVQz1laiKadsRO2YQe+IhVoFhU5v fLSoBI+8mX8Sc65UasqsuNXC3G2c6XXKkLBCYzmL90R2pwPtxbQRTDVGMmG9fyyc b4w+yindLcwKXxKJryQWswAbv6hBQunAoCaVsqiIdF2N9Psrlr3FhkU//JbvrxA1 COcciZEksTS0JwEpOGi5 =wg1b - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVSSwChLndAQH1ShLAQKrKw/+KY1kYm/rajcGv+rjgo15OCwYAUz+o2BV 4P6aMuyfQwRqHHTBfNUChoW1BqxZuow/1Rgfh/vMrliVa0tzTGpHihK5Pdkq7DIk 4YQLnW3MKhUT0Wh4BjI4v2XVDqOXfdajrmQlfy+FivVWJG957QQSUkadE2JxvoD0 hZyMFfUG1x2HABeUnIUVRfFkcdcWWm06ufeshXRxbb3byMQGc1qPamp7ej9W+qvU gkUFCbYE6lZUd4hipT+y54xtoqnlbTmitpLkrcNFJOjVLjus8w3UmHMUX/zTmpE2 k5BB8F/zLNDp4puaA0C41Tq3f7WWTxnu05WaqcixdVNkVIGOHi8aAQk8dLlDmr55 izwUvmoJQqT9OQW0MZY48NhvsgxIVqepfB94ysZ8mVDRUdme6a9AQQav4i7dlToN 71dOABcJ5ntcp2UP8FTA9RkFPSOcq59NojoG9O5G3ReKk19hXNHkU0zWsnlLxk3B ExsCeBNcX4pwH2BOhV8n72WVV87QbXB+ZRzShbz8fhe/rvD3MaPxHpTzOpfnQ7pf 1jvr4oki5X9uqfP1iFn7QEhDw4JBZ8cZNARhX3pir1GTAnivZ8eA+/gC71L2j4cx /w14gW2ddAFl4BbaVYVfyPlqR42HSJrotG7qxuXrsnzInwAYgkNgNU7P6JZZs1EQ hCDxoDd30vA= =70MR -----END PGP SIGNATURE-----