CVE-2021-4122

Name
CVE-2021-4122
Description
It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugzilla.redhat.com/show_bug.cgi?id=2031859
MISC https://bugzilla.redhat.com/show_bug.cgi?id=2032401
MISC https://access.redhat.com/security/cve/CVE-2021-4122
MISC https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes
MISC https://gitlab.com/cryptsetup/cryptsetup/-/commit/0113ac2d889c5322659ad0596d4cfc6da53e356c

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cryptsetup_project:cryptsetup:*:*:*:*:*:*:*:* cryptsetup >= 2.4.0 < 2.4.3
cpe:2.3:a:cryptsetup_project:cryptsetup:*:*:*:*:*:*:*:* cryptsetup >= None < 2.3.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
cryptsetup 3.15-main 2.4.3-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
cryptsetup 3.14-main 2.3.7-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
cryptsetup 3.13-main 2.3.7-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
cryptsetup 3.12-main 2.3.7-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
cryptsetup 3.16-main 2.4.3-r0 Natanael Copa <ncopa@alpinelinux.org> fixed