CVE-2021-4122 — Insufficient Verification of Data Authenticity in Project Cryptsetup

CWE-345 — Insufficient Verification of Data Authenticity CWE-349 — Acceptance of Extraneous Untrusted Data With Trusted Data8 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 71.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cryptsetup Project Cryptsetup

Timeline

PublishedAug 24

Latest updateAug 25

Description

It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 0.7 | Impact: 3.6

Affected Packages3 packages

▶NVDcryptsetup_project/cryptsetup2.4.0 — 2.4.3+1

▶Debiancryptsetup_project/cryptsetup< 2:2.3.7-1+deb11u1+3

▶CVEListV5cryptsetup_project/cryptsetupFixed in cryptsetup 2.4.3, cryptsetup 2.3.7

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-8fgw-wvm8-3x84: It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device↗2022-08-25

▶

OSV

CVE-2021-4122: It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device↗2022-08-24

▶

CVEList

CVE-2021-4122: It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device↗2022-08-24

▶

📋Vendor Advisories

Microsoft

▶

Ubuntu

cryptsetup vulnerability↗2022-02-15

▶

Red Hat

cryptsetup: disable encryption via header rewrite↗2022-01-13

▶

Debian

CVE-2021-4122: cryptsetup - It was found that a specially crafted LUKS header could trick cryptsetup into di...↗2021

▶