CVE-2023-0751

Summary

When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key.

Affected Software

VendorProductVersion RangeStatus
FreeBSDFreeBSD13.1-RELEASE < 13.1-RELEASE-p6affected
FreeBSDFreeBSD12.4-RELEASE < 12.4-RELEASE-p1affected
FreeBSDFreeBSD12.3-RELEASE < 12.3-RELEASE-p11affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References