FreeBSD Security Advisories
2015-Apr-07 20:54 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:08.bsdinstall
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-SA-15:08.bsdinstall Security Advisory The FreeBSD Project Topic: Insecure default GELI keyfile permissions Category: core Module: bsdinstall Announced: 2015-04-07 Credits: Pierre Kim Affects: FreeBSD 10.1. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) CVE Name: CVE-2015-1415 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The GEOM ELI class, or geli(8) implements encryption on GEOM providers which supports various cryptographic encryption and authentication methods as well as hardware acceleration. Each geli(8) provider has two key slots, and each slot holds a copy of its master key encrypted by a keyfile and/or a passphrase chosen by the system administrator. The bsdinstall(8) installer is the default system installer of FreeBSD since FreeBSD 10.0-RELEASE. II. Problem Description The default permission set by bsdinstall(8) installer when configuring full disk encrypted ZFS is too open. III. Impact A local attacker may be able to get a copy of the geli(8) provider's keyfile which is located at a fixed location. IV. Solution Note well: due to the nature of this issue, there is no way to fix this issue for already installed systems without human intervention. System administrators are advised to assume that the keyfile have already been leaked and a new keyfile is necessary. The system administrator can create a new keyfile with the correct permissions, and change the key slot that holds the master key encrypted with the old keyfile. For example, if the GELI provider is /dev/ada0, the system administrator can do the following: # umask 077 # dd if=/dev/random of=/boot/encryption.key.new bs=4096 count=1 # umask 022 # geli setkey -K /boot/encryption.key.new /dev/ada0p3 Enter new passphrase: Reenter new passphrase: (Repeat the geli setkey command if multiple providers are used) # mv /boot/encryption.key.new /boot/encryption.key # ls -l /boot/encryption.key Make sure that the new /boot/encryption.key can only be read by root. The FreeBSD stable and security branch (releng) and the changes are mainly intended for system integrators who build their own installation image for new installations. V. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r281230 releng/10.1/ r281232 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VI. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:08.bsdinstall.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rntF0P/0vVZ6W5xpIAm5K7eS184GaJ TuQ0E5XdqH1i6smYxAwUHtINFmAJ11cv+KwAbwFwazdB9jy4def6kwBZ/PE1y1M9 OGi/JD3RghL0RrrrIzADVz5Z4Hi401BmLN7aOW9REX75/o82XqGXTRlDmow5z22D /B4NRNQ0p6cwmwh179HHuJPgQsDmL3mBkgn4oMv1036q9VjP5V/b+i2Ja/I6oCa/ ZJhdEg17P9ek6GBna/fV7yo1Cr+A7v9aSUFcN9E8VqoWGn06jO0sLjWCC9Lrc6sZ KAgFbxNuPW/eZOE447DIu9jrgE8xxBFn6skeW81jsPsT4FsF/7KWG+dxBOa9XxOH XQTzc9sx3tsRVUzEBUGHRpPh/ZbkqtqQ5MYrAYk66NJ1NFqbrhY08mqzOd4+Sr7a CUMV/1vD0pCRME8bgIVupKciIw9y6QYWo2Gm+BJIqAw7L8EaEhaN7nnBxDbRehlj PdRYxHO4aQLIxdaV4dtDx3SX+njRxyVP/0OOSVQz1laiKadsRO2YQe+IhVoFhU5v fLSoBI+8mX8Sc65UasqsuNXC3G2c6XXKkLBCYzmL90R2pwPtxbQRTDVGMmG9fyyc b4w+yindLcwKXxKJryQWswAbv6hBQunAoCaVsqiIdF2N9Psrlr3FhkU//JbvrxA1 COcciZEksTS0JwEpOGi5 =wg1b -----END PGP SIGNATURE-----