FreeBSD 10.x ZFS encryption.key Disclosure

2015-04-08T00:00:00
ID PACKETSTORM:131338
Type packetstorm
Reporter Pierre Kim
Modified 2015-04-08T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
## Advisory Information  
  
Title: FreeBSD 10.x ZFS encryption.key disclosure (CVE-2015-1415)  
Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-1415.txt.asc  
Date published: 2015-04-07  
Vendors contacted: FreeBSD  
Release mode: Coordinated release  
  
  
  
## Product Description  
  
FreeBSD is a UNIX-like operating system.  
  
  
  
## Vulnerability Summary  
  
FreeBSD 10.x installer supports the installation of FreeBSD 10.x on an  
encrypted ZFS filesystem by default.  
  
When using the encryption system within ZFS during the installation of  
FreeBSD 10.0 and FreeBSD 10.1, the encryption.key has wrong permissions  
which allow local users to read this file.  
  
Even if the keyfile is passphrase-encrypted, it can present a risk.  
  
  
  
## Details  
  
By default, the encryption key file is /boot/encryption.key.  
  
Instead of being 0600, the permissions are 0644:  
  
$ ls -la /boot/encryption.key  
- -rw-r--r-- 1 root wheel 4096 Feb 17 15:16 /boot/encryption.key  
$  
  
This file is readable by a local user.  
  
  
  
## Vendor Response  
  
According to the vendor, a security advisory will be published, describing  
the problem and the solution. It concerns:  
  
- stable/10, 10.1-STABLE  
- releng/10.1, 10.1-RELEASE-p8  
- releng/10.0, 10.0-RELEASE-p18  
  
  
## Report Timeline  
  
* Mar 01, 2015: Problem found by Pierre Kim  
* Apr 01, 2015: Vendor is notified of the vulnerability  
* Apr 01, 2015: Vendor confirms report and indicates a fix is prepared  
but there will be no security advisory format notification because of  
the nature of the problem  
* Apr 02, 2015: Pierre Kim asks a CVE number to the vendor  
* Apr 02, 2015: Vendor indicates to use CVE-2015-1415 and confirms that a  
signed notification to the mailing lists will be sent.  
* Apr 03, 2015: Pierre Kim contacts FreeBSD about the future notification  
* Apr 04, 2015: Vendor confirms a security advisory will be published  
next week  
* Apr 07, 2015: Vendor publishes a security advisory (FreeBSD-SA-15:08)  
* Apt 07, 2015: This advisory is sent to bugtraq@  
  
  
  
## Credit  
  
This vulnerability was found by Pierre Kim (@PierreKimSec).  
  
  
  
## References  
  
https://www.freebsd.org/doc/handbook/bsdinstall-partitioning.html  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415  
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:08.bsdinstall.asc  
  
  
  
## Disclaimer  
  
This advisory is licensed under a Creative Commons Attribution Non-Commercial  
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCAAGBQJVJF22AAoJEMQ+Dtp9ky28NDgP/iW9YALiZKLPVhnShFEhFO4C  
SvSza1s7LJkhtOH8qOGplzTrn8wSV5BNhwzMaIaKpksP5RjoCkynxvAw/OncazPl  
tsfHM89m7bQ4puyXF3eb6lMkfaIkxoDAXM5R5DFb2Q+3wg4SDygdM7+BQEdqCXDV  
2B+ZNGae2CcsqLq04zjskFgY2bwqNMyX3GbbmUJvVI5IXQIS30e1lVIq8zxcK7u0  
lKFlVyp+gdyusenPz0lCqR82Pe1IA3tHuNn2zw3/EudT4VhD789/t/0lEWlSyNg7  
uiTCqFpQXnpEnvXEez1gZiDuNccIMXXYv0agB+/mYkkoviQPk5jqCwI5rvs+ppFU  
IH0gAafqS/UIl5+/dhDdIVDA4+r4WWLUxJfFkDy4ThCQHZtZMCsBYk3/RNJBPDUW  
JiVZWV8LSSHtYfWj7YoiCswuC9FLp6CT9e+/XQUJjpNrwfpeT5KlFOCFUKQXwV6W  
5nUJnQhjVfrXVjeRuOvMCInSwG8DWbfyX75QMmJNyV7aPMrS2prRXbOlTLuQUyzP  
cJkmToeO4XE4COV+jvtC+c39Booy3r8yp3lfHmz1NXffiv6Ua+11vLamUeYOVPew  
r4TmionPpSeAx3ODhKEKGjW+HIkl9sx3WcSnEBl88Aqd3Zv77G3ok4usFz4PvPnb  
/hnH/lhpePtv13jyZpXc  
=pOPH  
-----END PGP SIGNATURE-----  
`