what you don't know can hurt you

FreeBSD 10.x ZFS encryption.key Disclosure

FreeBSD 10.x ZFS encryption.key Disclosure
Posted Apr 8, 2015
Authored by Pierre Kim

FreeBSD 10.x installer supports the installation of FreeBSD 10.x on an encrypted ZFS filesystem by default. When using the encryption system within ZFS during the installation of FreeBSD 10.0 and FreeBSD 10.1, the encryption.key has wrong permissions which allow local users to read this file. Even if the keyfile is passphrase-encrypted, it can present a risk.

tags | exploit, local, info disclosure
systems | freebsd
advisories | CVE-2015-1415
MD5 | 07a9532173408a514f487eeee305e6b7

FreeBSD 10.x ZFS encryption.key Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

## Advisory Information

Title: FreeBSD 10.x ZFS encryption.key disclosure (CVE-2015-1415)
Advisory URL: https://pierrekim.github.io/advisories/CVE-2015-1415.txt.asc
Date published: 2015-04-07
Vendors contacted: FreeBSD
Release mode: Coordinated release



## Product Description

FreeBSD is a UNIX-like operating system.



## Vulnerability Summary

FreeBSD 10.x installer supports the installation of FreeBSD 10.x on an
encrypted ZFS filesystem by default.

When using the encryption system within ZFS during the installation of
FreeBSD 10.0 and FreeBSD 10.1, the encryption.key has wrong permissions
which allow local users to read this file.

Even if the keyfile is passphrase-encrypted, it can present a risk.



## Details

By default, the encryption key file is /boot/encryption.key.

Instead of being 0600, the permissions are 0644:

$ ls -la /boot/encryption.key
- -rw-r--r-- 1 root wheel 4096 Feb 17 15:16 /boot/encryption.key
$

This file is readable by a local user.



## Vendor Response

According to the vendor, a security advisory will be published, describing
the problem and the solution. It concerns:

- stable/10, 10.1-STABLE
- releng/10.1, 10.1-RELEASE-p8
- releng/10.0, 10.0-RELEASE-p18


## Report Timeline

* Mar 01, 2015: Problem found by Pierre Kim
* Apr 01, 2015: Vendor is notified of the vulnerability
* Apr 01, 2015: Vendor confirms report and indicates a fix is prepared
but there will be no security advisory format notification because of
the nature of the problem
* Apr 02, 2015: Pierre Kim asks a CVE number to the vendor
* Apr 02, 2015: Vendor indicates to use CVE-2015-1415 and confirms that a
signed notification to the mailing lists will be sent.
* Apr 03, 2015: Pierre Kim contacts FreeBSD about the future notification
* Apr 04, 2015: Vendor confirms a security advisory will be published
next week
* Apr 07, 2015: Vendor publishes a security advisory (FreeBSD-SA-15:08)
* Apt 07, 2015: This advisory is sent to bugtraq@



## Credit

This vulnerability was found by Pierre Kim (@PierreKimSec).



## References

https://www.freebsd.org/doc/handbook/bsdinstall-partitioning.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:08.bsdinstall.asc



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVJF22AAoJEMQ+Dtp9ky28NDgP/iW9YALiZKLPVhnShFEhFO4C
SvSza1s7LJkhtOH8qOGplzTrn8wSV5BNhwzMaIaKpksP5RjoCkynxvAw/OncazPl
tsfHM89m7bQ4puyXF3eb6lMkfaIkxoDAXM5R5DFb2Q+3wg4SDygdM7+BQEdqCXDV
2B+ZNGae2CcsqLq04zjskFgY2bwqNMyX3GbbmUJvVI5IXQIS30e1lVIq8zxcK7u0
lKFlVyp+gdyusenPz0lCqR82Pe1IA3tHuNn2zw3/EudT4VhD789/t/0lEWlSyNg7
uiTCqFpQXnpEnvXEez1gZiDuNccIMXXYv0agB+/mYkkoviQPk5jqCwI5rvs+ppFU
IH0gAafqS/UIl5+/dhDdIVDA4+r4WWLUxJfFkDy4ThCQHZtZMCsBYk3/RNJBPDUW
JiVZWV8LSSHtYfWj7YoiCswuC9FLp6CT9e+/XQUJjpNrwfpeT5KlFOCFUKQXwV6W
5nUJnQhjVfrXVjeRuOvMCInSwG8DWbfyX75QMmJNyV7aPMrS2prRXbOlTLuQUyzP
cJkmToeO4XE4COV+jvtC+c39Booy3r8yp3lfHmz1NXffiv6Ua+11vLamUeYOVPew
r4TmionPpSeAx3ODhKEKGjW+HIkl9sx3WcSnEBl88Aqd3Zv77G3ok4usFz4PvPnb
/hnH/lhpePtv13jyZpXc
=pOPH
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    4 Files
  • 12
    Jul 12th
    4 Files
  • 13
    Jul 13th
    14 Files
  • 14
    Jul 14th
    19 Files
  • 15
    Jul 15th
    8 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close