Version 1.0.13 of Mandos is released: SECURITY BUG FIX!
Teddy Hogeborn
teddy at fukt.bsnet.se
Thu Oct 22 01:46:59 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Version 1.0.13 of Mandos is released. This is a security bug fix
release.
Thanks to "C. Dominik Bodi" <dominik.bodi at gmx.de> for reporting this
problem! <http://bugs.debian.org/551907>
Who Is Affected?
================
The security bug affects users running the Mandos server on the same
computer as a Mandos client. Those that do not are not affected.
Bug Effects
===========
The Mandos server has a "clients.conf" file containing encrypted
versions of passwords for the clients' encrypted disks. If the same
computer also was a Mandos client, this file was mistakenly copied
into the /boot/initrd.img* file, making the contents of that file
vulnerable to a physical attack on the computer. This will
automatically fix itself on installation of mandos-client 1.0.13 on
rebuilding the /boot/initrd.img* file.
Bug Impact and Recovery
=======================
The impact of the clients.conf file being vulnerable to a physical
attack on the computer is that if both the Mandos server (with a
vulnerable clients.conf) and the Mandos client are seized by a
physical attacker, the disks will be readable - it will be as if the
disks were not encrypted.
Note: There is nothing to worry about if ANY of these are true:
1. A Mandos server is not also a Mandos client.
2. Neither the Mandos server nor the Mandos client has been
compromised, either by root compromise or by physical attack.
This security bug *only* affects the security of what happens *after*
an attack - if there has not been an attack yet, the system is secure
once it is upgraded to Mandos 1.0.13. No keys or passwords needs to
be changed.
If the Mandos server is suspected to *be* compromised, all the
encrypted disk passwords for the clients should be changed - this will
make any leaked information useless.
(Conversely, if a key from a Mandos client should ever be compromised,
it is a simple case of just generating a new one and creating a new
stanza for the Mandos server "clients.conf" file. But this is NOT
what this bug is about.)
More Bug Details
================
The script to create new /boot/initrd.img* files copied *all files*
- From /etc/mandos, when in reality it only needed "plugin-runner.conf".
This was in anticipation of any user-supplied or future plugins
needing config files, but we overlooked the fact that the config files
for the Mandos *server* was present in the same directory.
We are very ashamed of this blatant mistake. We do try to do better
than this.
Version 1.0.13 (2009-10-22)
* Client
** Security bug fix: If Mandos server is also installed, do not copy
its config files (with encrypted passwords) into the initrd.img-*
files.
The upload would fix these Debian bugs: 551907
The Debian package for unstable can be found on mentors.debian.net:
- - dget http://mentors.debian.net/debian/pool/main/m/mandos/mandos_1.0.13-1.dsc
/Teddy Hogeborn
- --
The Mandos Project
http://www.fukt.bsnet.se/mandos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrfnXYACgkQOWBmT5XqI90L4QCffl3qBwS88qYNoU3WPS2cwfHx
TdwAoK6mYL3WA4U8RScIVHd4YLDs6hk1
=da5p
-----END PGP SIGNATURE-----
More information about the Mandos-Dev
mailing list