#VU63770 Insufficient verification of data authenticity in cryptsetup - CVE-2021-4122


Vulnerability identifier: #VU63770

Vulnerability risk: Medium

CVSSv4.0: 3.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-4122

CWE-ID: CWE-345

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
cryptsetup
Other software / Other software solutions

Vendor: cryptsetup

Description
The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to improper handling of the LUKS2 reencryption recover. A local attacker with physical access to the medium can send a specially crafted LUKS header and trick cryptsetup into disabling encryption during the recovery of the device.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cryptsetup: 2.3.0 - 2.4.2

External links
https://ubuntu.com/security/notices/USN-5286-1
https://bugzilla.redhat.com/show_bug.cgi?id=2032401

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Amazon Linux AMI update for cryptsetup
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak
Multiple vulnerabilities in IBM Netcool Operations Insight
Multiple vulnerabilities in Migration Toolkit for Containers 1.5
Multiple vulnerabilities in Red Hat OpenStack 16.2 packages
Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.3
Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.0
openEuler update for cryptsetup
Ubuntu update for cryptsetup