Secure testing team - Sep 2010 - Bug#595998: Multiple security issues

Package: encfs
Severity: grave
Tags: security

The following issues were reported to the oss-security mailing list:

----
Hello Steve, vendors,

  Micha Riser reported:
  [A] http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0316.html

three security flaws in EncFS encrypted filesystem (more from [A]):

"A security analysis of EncFS has revealed multiple vulnerabilities:
(1) Only 32 bit of file IV used
(2) Watermarking attack
(3) Last block with single byte is insecure"

References:
  [B] http://www.arg0.net/encfs
  [C] http://bugs.gentoo.org/show_bug.cgi?id=335938
  [D]
http://archives.neohapsis.com/archives/fulldisclosure/2010-08/att-0316/watermark-attack-encfs.tar.gz
  [E] https://bugzilla.redhat.com/show_bug.cgi?id=630460


Solutions / patches information:
===============================
* for issue (1) -- seems it wasn''t fixed / isn''t possible to
  fix without breaking backward compatibility. More from [B]:

  "The old IV setup is kept for backwards compatibility."

* for issue (2) -- EncFS upstream has released a fix for the issue:
  [F] http://code.google.com/p/encfs/source/detail?r=59

Valient, could you please confirm, the above referenced [F] patch,
is the correct one to address the watermarking attack issue?

* for issue (3) -- not sure about patch status (included in [F] too?)

Steve, could you allocate CVE ids for these flaws?
----

Upstream replied:

----
Jan,

Yes, the patch referenced in [F],  specifically changes to SSL_Cipher.cpp, were
made in response to issues (1) & (2).  These are+not backward compatible,
and so only apply to new filesystems.

Issue (3) is not directly addressed.  A workaround is to enable per-block MAC
headers, or per-block random bytes.  A patch going+into 1.7.2 allows per-block
random bytes to be configured independently of MAC headers.  It would be
possible to change the
+default settings such that per-block random bytes are always used.

Adding new encryption modes is not planned for encfs 1.x.

regards,
Valient

----

The following CVE assignments have been made:

----
Here goes:

CVE-2010-3073 encfs Only 32 bit of file IV used
CVE-2010-3074 encfs Watermarking attack
CVE-2010-3075 encfs Last block with single byte is insecure"

Thanks

-----

Cheers,
         Moritz









-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages encfs depends on:
pn  fuse-utils                    <none>     (no description available)
pn  libboost-serialization1.34.1  <none>     (no description available)
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
pn  libfuse2                      <none>     (no description available)
ii  libgcc1                       1:4.4.4-9  GCC support library
pn  librlog1c2a                   <none>     (no description available)
ii  libssl0.9.8                   0.9.8o-1   SSL shared libraries
ii  libstdc++6                    4.4.4-9    The GNU Standard C++ Library v3

encfs recommends no packages.

encfs suggests no packages.