+ "details": "### Summary\n\nA malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the [secure persistent volume](https://docs.edgeless.systems/contrast/howto/encrypted-storage) feature. The guest will open the volume and write secret data using a volume key known to the attacker. \n\nLUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:\n\n- Opens (cryptsetup open) without error using any passphrase or token\n- Records all writes in plaintext (or ciphertext with an attacker-known key)\n\n### Details\n\nContrast uses cryptsetup to setup secure persistent volumes, using the secret seed as key for the cryptsetup encryption. To do so the Contrast Initializer will invoke the `cryptsetup` CLI. If the device provided by Kubernetes is a identified as cryptsetup device, the Initializer assumes a pod restart happened and the device was previously encrypted with the secret seed. The Initializer will try to open the device, and assume it is protected if the operation succeeds. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.\n\nCryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the `cipher_null-ecb` algorithm in the keyslot `encryption` field.\n\n### Impact\n\nUsing a maliciously crafted cryptsetup device, an attacker can read confidential data that was written to the persistent volume that should have been protected by encryption.\n\nNotice that Contrast's persistent volumes weren't integrity protected, so the integrity impact of this attack isn't considered.\n\n### Patches\n\nA partial fix landed in [cryptsetup version 2.8.1](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/docs/v2.8.1-ReleaseNotes#L14), disabling null ciphers in keyslots when the user passphrase is nonempty. Contrast shipped this cryptsetup version shortly after it has been released upstream, in [Contrast version v1.12.1](https://github.com/edgelesssys/contrast/releases/tag/v1.12.1).\n\nHowever, LUKS header parsing and interpretation remains a large attack surface. Attackers may still be able to modify LUKS headers in other ways, such as triggering automatic reencryption or downgrading to weak ciphers. As a long term hardening solution, LUKS disks is encrypted in detached header mode. The detached header resides in a tmpfs file inside guest RAM, and is checked before it is used to open the device. This has been implemented in [#1731](https://github.com/edgelesssys/contrast/pull/1731) and released as part of [Contrast v1.13.0](https://github.com/edgelesssys/contrast/releases/tag/v1.13.0).\n\nIn addition, we added integrity protection for secure persistent storage as a new feature in [#1734](https://github.com/edgelesssys/contrast/pull/1734), which was also shipped as part of [v1.13.0](https://github.com/edgelesssys/contrast/releases/tag/v1.13.0).",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments