From nobody Wed Feb 8 19:52:52 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PBrHX5Z1zz3p8rr for ; Wed, 8 Feb 2023 19:52:08 +0000 (UTC) (envelope-from oshogbo.vx@gmail.com) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PBrHX3Tl6z3Gkx; Wed, 8 Feb 2023 19:52:08 +0000 (UTC) (envelope-from oshogbo.vx@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-wm1-f49.google.com with SMTP id m16-20020a05600c3b1000b003dc4050c94aso2361635wms.4; Wed, 08 Feb 2023 11:52:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xh9RDVX0DMWXg5Un+k8xEu0zPwVS6ASyuKT1x1wTvSw=; b=0Rzr6OnURojKi4Xv6M7+qa5mYB12TqkRyOdNNMbeiCkEB1JXve9N7TJdykNedvvq46 5ZktAg88at4VSlaQHnnky5rA921GAG8q+Fpis3+fejmgGTIEDdkXrI4vVfYQR+aCxB5a 49/FFzFhUTUa228LOQJiqyUuY043sk3BpMFfc9u1ERHNGZNSmwhez4tserPhloGbC0GV 4T/1ivlbxHVu0qbktuNoSOVlR5Uo+Uthb6cwvSQe4cCGNjm601C5owThq9JinyUks9Tu kEcu0DF0yvvhIUmYoefxFPdj4NJeTBtvy9dIrSxI1AYxte2YwWjUMr2gzgcs/U9XJ/OL Im2Q== X-Gm-Message-State: AO0yUKUr9qKAEY+kgMbvHhrBQ5mh8Hkp0JD/fmGsdGRNgwe153VFGqqn igjBoXSR25RDH1BsJjPZlewf9j6xStmRMF2+c/qZLLmzcvpTzw== X-Google-Smtp-Source: AK7set9prVloOdlS1Lrq4HJ2MsybjwEiJg/D88GDlaNpJba/cG40BqvBXVqcErGDt5++3+Y9GArTDzVO590U6ZuQP3A= X-Received: by 2002:a05:600c:3147:b0:3df:fc66:25a with SMTP id h7-20020a05600c314700b003dffc66025amr331789wmo.3.1675885926408; Wed, 08 Feb 2023 11:52:06 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: <20230208190833.1DF6F8824@freefall.freebsd.org> <20230208194155.hs5fkfdqcfmd72ld@mutt-hbsd> In-Reply-To: <20230208194155.hs5fkfdqcfmd72ld@mutt-hbsd> From: Mariusz Zaborski Date: Wed, 8 Feb 2023 20:52:52 +0100 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-23:01.geli To: Shawn Webb Cc: freebsd-security@freebsd.org, FreeBSD Security Advisories Content-Type: multipart/alternative; boundary="00000000000053e43805f435996e" X-Rspamd-Queue-Id: 4PBrHX3Tl6z3Gkx X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; TAGGED_FROM(0.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --00000000000053e43805f435996e Content-Type: text/plain; charset="UTF-8" No, each disk is encrypted/initialized separately: https://cgit.freebsd.org/src/tree/usr.sbin/bsdinstall/scripts/zfsboot#n1275 On Wed, 8 Feb 2023 at 20:42, Shawn Webb wrote: > On Wed, Feb 08, 2023 at 07:08:33PM +0000, FreeBSD Security Advisories > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > > ============================================================================= > > FreeBSD-SA-23:01.geli Security > Advisory > > The FreeBSD > Project > > > > Topic: GELI silently omits the keyfile if read from stdin > > > > Category: core > > Module: geli > > Announced: 2023-02-08 > > Credits: Nathan Dorfman > > Affects: All supported versions of FreeBSD. > > Corrected: 2023-02-08 18:03:19 UTC (stable/13, 13.1-STABLE) > > 2023-02-08 18:06:31 UTC (releng/13.1, 13.1-RELEASE-p6) > > 2023-02-08 18:05:45 UTC (stable/12, 12.4-STABLE) > > 2023-02-08 18:30:27 UTC (releng/12.4, 12.4-RELEASE-p1) > > 2023-02-08 18:28:31 UTC (releng/12.3, 12.3-RELEASE-p11) > > CVE Name: CVE-2023-0751 > > > > For general information regarding FreeBSD Security Advisories, > > including descriptions of the fields above, security branches, and the > > following sections, please visit . > > > > I. Background > > > > GELI is a block device-layer disk encryption utility. It uses a random > > master key to perform symmetric cryptography on sectors. The master key > is > > encrypted using a user key, which might consist of up to two components: > a > > user passphrase and a key file. The key file might be read from a file > or a > > standard input. GELI also allows to initialization of multiple devices > with > > a single command. > > > > II. Problem Description > > > > When GELI reads a key file from a standard input, it doesn't store it > > anywhere. If the user tries to initialize multiple providers at once, > for > > the second and subsequent devices the standard input stream will be > already > > empty. In this case, GELI silently uses a NULL key as the user key > file. If > > the user used only a key file without a user passphrase, the master key > was > > encrypted with an empty key file. This might not be noticed if the > devices > > were also decrypted in a batch operation. > > > > III. Impact > > > > Some GELI providers might be silently encrypted with a NULL key file. > > bsdinstall has a nifty option for using geli to encrypt your ZFS root > pool (usually named zroot). Are ZFS pools created by bsdinstall > impacted? > > Thanks, > > -- > Shawn Webb > Cofounder / Security Engineer > HardenedBSD > > > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc > --00000000000053e43805f435996e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, 8 Feb 2023 at 20:42, Shawn Webb <<= a href=3D"mailto:shawn.webb@hardenedbsd.org">shawn.webb@hardenedbsd.org= > wrote:
On W= ed, Feb 08, 2023 at 07:08:33PM +0000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D
> FreeBSD-SA-23:01.geli=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0Security Advisory
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0The FreeB= SD Project
>
> Topic:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 GELI silently omits the keyfi= le if read from stdin
>
> Category:=C2=A0 =C2=A0 =C2=A0 =C2=A0core
> Module:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0geli
> Announced:=C2=A0 =C2=A0 =C2=A0 2023-02-08
> Credits:=C2=A0 =C2=A0 =C2=A0 =C2=A0 Nathan Dorfman <ndorf@rtfm.net>
> Affects:=C2=A0 =C2=A0 =C2=A0 =C2=A0 All supported versions of FreeBSD.=
> Corrected:=C2=A0 =C2=A0 =C2=A0 2023-02-08 18:03:19 UTC (stable/13, 13.= 1-STABLE)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A02023-02-0= 8 18:06:31 UTC (releng/13.1, 13.1-RELEASE-p6)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A02023-02-0= 8 18:05:45 UTC (stable/12, 12.4-STABLE)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A02023-02-0= 8 18:30:27 UTC (releng/12.4, 12.4-RELEASE-p1)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A02023-02-0= 8 18:28:31 UTC (releng/12.3, 12.3-RELEASE-p11)
> CVE Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0CVE-2023-0751
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the=
> following sections, please visit <URL:https://security.FreeBSD.= org/>.
>
> I.=C2=A0 =C2=A0Background
>
> GELI is a block device-layer disk encryption utility.=C2=A0 It uses a = random
> master key to perform symmetric cryptography on sectors.=C2=A0 The mas= ter key is
> encrypted using a user key, which might consist of up to two component= s: a
> user passphrase and a key file.=C2=A0 The key file might be read from = a file or a
> standard input.=C2=A0 GELI also allows to initialization of multiple d= evices with
> a single command.
>
> II.=C2=A0 Problem Description
>
> When GELI reads a key file from a standard input, it doesn't store= it
> anywhere.=C2=A0 If the user tries to initialize multiple providers at = once, for
> the second and subsequent devices the standard input stream will be al= ready
> empty.=C2=A0 In this case, GELI silently uses a NULL key as the user k= ey file.=C2=A0 If
> the user used only a key file without a user passphrase, the master ke= y was
> encrypted with an empty key file.=C2=A0 This might not be noticed if t= he devices
> were also decrypted in a batch operation.
>
> III. Impact
>
> Some GELI providers might be silently encrypted with a NULL key file.<= br>
bsdinstall has a nifty option for using geli to encrypt your ZFS root
pool (usually named zroot). Are ZFS pools created by bsdinstall
impacted?

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/m= aster/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
--00000000000053e43805f435996e--