Recently the news broke that a vulnerability was identified (already listed under CVE-2021-4122) in the Cryptsetup package, which is used to encrypt disk partitions in Linux.
It is mentioned that to exploit the vulnerability, an attacker must have physical access to the encrypted medium, that is, the method makes sense mainly for attacking encrypted external drives, such as flash drives, to which the attacker has access, but does not know the password to decrypt the data.
El ataque it is applicable only for LUKS2 format and is associated with metadata manipulation responsible for activating the «online reencryption» extension, which allows, if necessary, to change the access key, start the data recryption process on the fly without stopping work with the partition.
Since the process of decryption and encryption with a new key takes a long time, "online reencryption" allows not to interrupt work with the partition and perform re-encryption in the background, gradually transferring data from one key to another. In particular, it is possible to select an empty target key, which allows you to translate the section into an unencrypted form.
An attacker can make changes to the LUKS2 metadata that simulate an abort of the decryption operation as a result of a failure and achieve decryption of part of the partition after subsequent activation and use of the modified drive by the owner. In this case, the user who connected the modified drive and unlocked it with the correct password does not receive any warning about the restoration of the interrupted re-encryption operation and can find out the progress of this operation only with the “luks Dump” command. The amount of data an attacker can decrypt depends on the size of the LUKS2 header, but with the default size (16 MiB) it can exceed 3 GB.
The problem originates from the fact that although the re-encryption operation requires the calculation and verification of the hashes of the new and old keys, the hash is not required to restore the interrupted decryption process if the new state implies the absence of a key for encryption (plain text).
In addition, LUKS2 metadata specifying the encryption algorithm is not protected from modification if they fall into the hands of an attacker. To block the vulnerability, the developers added additional metadata protection to LUKS2, for which an additional hash is now verified, calculated based on known keys and metadata content, i.e. an attacker will no longer be able to stealthily change metadata without knowing the decryption password.
A typical attack scenario requires the attacker to have the opportunity to put their hands on the disk several times. First, the attacker, who does not know the access password, makes changes to the metadata area that initiates decryption of part of the data the next time the drive is activated.
The drive is then returned to its place and the attacker waits until the user connects it by entering a password. During user activation of the device, a re-encryption process starts in the background, during which part of the encrypted data is replaced with decrypted data. Also, if an attacker is able to get their hands on the device again, some of the data on the drive will be decrypted.
The problem was identified by the maintainer of the cryptsetup project and fixed in the cryptsetup 2.4.3 and 2.3.7 updates.
The status of the generation of updates with the solution of the problem in the distributions can be tracked on these pages: RHEL, SUSE, Fedora, Ubuntu, Arch. The vulnerability appears only since the release of cryptsetup 2.2.0, which introduced support for the "online recrypt" operation. Starting with the option “–disable-luks2-reencryption” can be used as a security solution.
Finally if you are interested in knowing more about it about the news, you can check the details in the following link