Vulnerability Details CVE-2019-13179
Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 73.9%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095
- https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096
- https://bugzilla.redhat.com/show_bug.cgi?id=1726542
- https://calamares.io/calamares-3.2.11-is-out/
- https://calamares.io/calamares-cve-2019/
- https://github.com/calamares/calamares/issues/1191
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q57BOTBA2J5U4GVKUP7N2PD5H7B3BVUU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2ZDQRGBGRVRW5LPJWKUNS3M66LZ3KYC/
- https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095
- https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096
- https://bugzilla.redhat.com/show_bug.cgi?id=1726542
- https://calamares.io/calamares-3.2.11-is-out/
- https://calamares.io/calamares-cve-2019/
- https://github.com/calamares/calamares/issues/1191
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q57BOTBA2J5U4GVKUP7N2PD5H7B3BVUU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2ZDQRGBGRVRW5LPJWKUNS3M66LZ3KYC/
Products affected by CVE-2019-13179
-
cpe:2.3:a:calamares:calamares:3.1
-
cpe:2.3:a:calamares:calamares:3.1.1
-
cpe:2.3:a:calamares:calamares:3.1.10
-
cpe:2.3:a:calamares:calamares:3.1.11
-
cpe:2.3:a:calamares:calamares:3.1.12
-
cpe:2.3:a:calamares:calamares:3.1.13
-
cpe:2.3:a:calamares:calamares:3.1.2
-
cpe:2.3:a:calamares:calamares:3.1.3
-
cpe:2.3:a:calamares:calamares:3.1.4
-
cpe:2.3:a:calamares:calamares:3.1.5
-
cpe:2.3:a:calamares:calamares:3.1.6
-
cpe:2.3:a:calamares:calamares:3.1.7
-
cpe:2.3:a:calamares:calamares:3.1.8
-
cpe:2.3:a:calamares:calamares:3.1.9
-
cpe:2.3:a:calamares:calamares:3.2
-
cpe:2.3:a:calamares:calamares:3.2.0
-
cpe:2.3:a:calamares:calamares:3.2.1
-
cpe:2.3:a:calamares:calamares:3.2.10
-
cpe:2.3:a:calamares:calamares:3.2.2
-
cpe:2.3:a:calamares:calamares:3.2.3
-
cpe:2.3:a:calamares:calamares:3.2.4
-
cpe:2.3:a:calamares:calamares:3.2.5
-
cpe:2.3:a:calamares:calamares:3.2.6
-
cpe:2.3:a:calamares:calamares:3.2.7
-
cpe:2.3:a:calamares:calamares:3.2.8
-
cpe:2.3:a:calamares:calamares:3.2.9