FreeBSD3FCAB88B-47BC-11EE-8E38-002590C1F29CFreeBSD -- GELI silently omits the keyfile if read from stdin
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
26.8%
Problem Description:
When GELI reads a key file from a standard input, it doesn’t store it
anywhere. If the user tries to initialize multiple providers at once,
for the second and subsequent devices the standard input stream will be
already empty. In this case, GELI silently uses a NULL key as the user
key file. If the user used only a key file without a user passphrase,
the master key was encrypted with an empty key file. This might not be
noticed if the devices were also decrypted in a batch operation.
Impact:
Some GELI providers might be silently encrypted with a NULL key
file.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | freebsd-kernel | = 13.1 | UNKNOWN |
| FreeBSD | any | noarch | freebsd-kernel | < 13.1_6 | UNKNOWN |
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
26.8%