Headline
GHSA-f5p4-p5q5-jv3h: Contrast has insecure LUKS2 persistent storage partitions may be opened and used
Summary
A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the secure persistent volume feature. The guest will open the volume and write secret data using a volume key known to the attacker.
LUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:
- Opens (cryptsetup open) without error using any passphrase or token
- Records all writes in plaintext (or ciphertext with an attacker-known key)
Details
Contrast uses cryptsetup to setup secure persistent volumes, using the secret seed as key for the cryptsetup encryption. To do so the Contrast Initializer will invoke the cryptsetup CLI. If the device provided by Kubernetes is a identified as cryptsetup device, the Initializer assumes a pod restart happened and the device was previously encrypted with the secret seed. The Initializer will try to open the device, and assume it is protected if the operation succeeds. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.
Cryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the cipher_null-ecb algorithm in the keyslot encryption field.
Impact
Using a maliciously crafted cryptsetup device, an attacker can read confidential data that was written to the persistent volume that should have been protected by encryption.
Notice that Contrast’s persistent volumes weren’t integrity protected, so the integrity impact of this attack isn’t considered.
Patches
A partial fix landed in cryptsetup version 2.8.1, disabling null ciphers in keyslots when the user passphrase is nonempty. Contrast shipped this cryptsetup version shortly after it has been released upstream, in Contrast version v1.12.1.
However, LUKS header parsing and interpretation remains a large attack surface. Attackers may still be able to modify LUKS headers in other ways, such as triggering automatic reencryption or downgrading to weak ciphers. As a long term hardening solution, LUKS disks is encrypted in detached header mode. The detached header resides in a tmpfs file inside guest RAM, and is checked before it is used to open the device. This has been implemented in #1731 and released as part of Contrast v1.13.0.
In addition, we added integrity protection for secure persistent storage as a new feature in #1734, which was also shipped as part of v1.13.0.
Summary
A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the secure persistent volume feature. The guest will open the volume and write secret data using a volume key known to the attacker.
LUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:
- Opens (cryptsetup open) without error using any passphrase or token
- Records all writes in plaintext (or ciphertext with an attacker-known key)
Details
Contrast uses cryptsetup to setup secure persistent volumes, using the secret seed as key for the cryptsetup encryption. To do so the Contrast Initializer will invoke the cryptsetup CLI. If the device provided by Kubernetes is a identified as cryptsetup device, the Initializer assumes a pod restart happened and the device was previously encrypted with the secret seed. The Initializer will try to open the device, and assume it is protected if the operation succeeds. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.
Cryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the cipher_null-ecb algorithm in the keyslot encryption field.
Impact
Using a maliciously crafted cryptsetup device, an attacker can read confidential data that was written to the persistent volume that should have been protected by encryption.
Notice that Contrast’s persistent volumes weren’t integrity protected, so the integrity impact of this attack isn’t considered.
Patches
A partial fix landed in cryptsetup version 2.8.1, disabling null ciphers in keyslots when the user passphrase is nonempty. Contrast shipped this cryptsetup version shortly after it has been released upstream, in Contrast version v1.12.1.
However, LUKS header parsing and interpretation remains a large attack surface. Attackers may still be able to modify LUKS headers in other ways, such as triggering automatic reencryption or downgrading to weak ciphers. As a long term hardening solution, LUKS disks is encrypted in detached header mode. The detached header resides in a tmpfs file inside guest RAM, and is checked before it is used to open the device. This has been implemented in #1731 and released as part of Contrast v1.13.0.
In addition, we added integrity protection for secure persistent storage as a new feature in #1734, which was also shipped as part of v1.13.0.
References
- GHSA-f5p4-p5q5-jv3h
- edgelesssys/contrast#1731
- edgelesssys/contrast@2252a23