Lucene search

K
ubuntucveUbuntu.comUB:CVE-2020-14382
HistorySep 03, 2020 - 12:00 a.m.

CVE-2020-14382

2020-09-0300:00:00
ubuntu.com
ubuntu.com
20
cryptsetup vulnerability
luks2 bug
memory allocation overflow
data manipulation

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.5%

A vulnerability was found in upstream release cryptsetup-2.2.0 where,
there’s a bug in LUKS2 format validation code, that is effectively invoked
on every device/image presenting itself as LUKS2 container. The bug is in
segments validation code in file ‘lib/luks2/luks2_json_metadata.c’ in
function hdr_validate_segments(struct crypt_device *cd, json_object
*hdr_jobj) where the code does not check for possible overflow on memory
allocation used for intervals array (see statement “intervals =
malloc(first_backup * sizeof(*intervals));”). Due to the bug, library can
be tricked to expect such allocation was successful but for far less
memory then originally expected. Later it may read data FROM image crafted
by an attacker and actually write such data BEYOND allocated memory.

Bugs

Notes

Author Note
debian Introduced with v2.2.0-rc0 with a7f80a27701450e40ef37e2224577f1a0c98cf0f
OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchcryptsetup< 2:2.2.2-3ubuntu2.2UNKNOWN

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.5%