CVE-2023-0751
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FreeBSD | FreeBSD | 13.1-RELEASE < 13.1-RELEASE-p6 | affected |
| FreeBSD | FreeBSD | 12.4-RELEASE < 12.4-RELEASE-p1 | affected |
| FreeBSD | FreeBSD | 12.3-RELEASE < 12.3-RELEASE-p11 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
ADP Enrichment
CVE Program Container
Additional References
- https://security.netapp.com/advisory/ntap-20230316-0004/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-23:01.geli.asc
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.