Urgent Fix for CentOS 8 Encryption Bug – What Do You Want?
Short News:-
CentOS 8 is no longer supported by vendors. LUKS (Linux Unified Key Setup) is a mechanism used in Linux-powered systems to support full disk encryption. CVE-2021-4122 is newly discovered flaw that could allow hackers to get into your encrypted data. LUKS-encrypted disks can be partially decrypted and data accessed even if the password used to configure the encryption is not known. The LUKS flaw will not be fixed in CentOS 8 because the operating system is no longer supported by Red Hat or Ubuntu.
If you're running an affected version of Linux, here are your patching options. You can download the project's source code and compile it on your own, creating a new system package. Alternatively, you can choose to sign a contract with a third-party vendor that will supply missing patches. You must take action immediately to protect your systems from the new vulnerability. Your best option is to look into extended support vendors, which are dependable and cost-effective. TuxCare offers Extended Lifecycle Support for end-of-life distributions such as CentOS 8.
Detailed News:-
Death, taxes, and new CVEs are the only things that are certain in life. Those organizations that have relied on CentOS 8 for a long time now have to deal with the inevitable. CentOS 8 users are at serious risk of a severe attack just two weeks after the official end of life of the operating system, and CentOS isn't providing any support for them.
CentOS 8 is no longer supported by vendors, so you'd think that this problem would no longer affect a significant number of organizations. In the end, security and compliance cannot be achieved without the assistance of the vendor.
Even though CentOS 8 is no longer supported, you can count on a large number of users continuing to use it, despite the risks. If you're concerned about CVE-2021-4122, a newly discovered flaw that could allow hackers to get into your LUKS encrypted data, this article is for you.
Where did you hear that?
In other words, what does LUKS mean? LUKS (Linux Unified Key Setup) is a mechanism used in Linux-powered systems to support full disk encryption, among other things. Many "best practice" guides recommend it as an essential system hardening option for security-conscious IT teams.
What is LUKS's mechanism? When deploying a system, you can create a partition that can only be accessed with a password provided by the user. This article does not aim to be a comprehensive LUKS guide because the technology is complex and many security systems interact with it.
In the event that an attacker steals a laptop, for example, he or she will still be unable to access the confidential data stored on the laptop's encrypted disk (block device in Linux "speak").
To enhance security, a TPM-enabled block device can be linked to an individual computer (Trusted Platform Module). As a result, brute-forcing access to encrypted data on a machine is now more difficult, since data must be physically removed from the machine and plugged into a powerful system. This is still dependent on computing power, encryption algorithm choice, and pure luck, as it always has been.
LUKS is a popular choice for securing systems in a wide range of organizations because it provides excellent protection.
Recognizing and fixing the LUKS bug
It was only recently that a full understanding of the security risks associated with LUKS emerged, despite CVE-2021-4122 being assigned late last year. A LUKS-encrypted disk can be partially decrypted and its data accessed even if the password used to configure the encryption is not known.
The ability to dynamically alter the encryption key for a given device is a key feature of LUKS. For example, in high-security environments, you might use this technique to automate key rotations on a regular schedule.
As a result of this feature, the device can be used while the new encryption key is being generated. If you can re-encrypt a disk with a different key while it is online and in use, it's known as "online re-encryption."
A weakness was discovered as a result of this procedure. As it turns out, if you know what you're doing, you don't need the original, current password to perform this operation. You can request a re-encryption even if you don't have a password.
Taking advantage of the flaw, this process would appear to be aborted, and some of the data would be made available unencrypted.. Because the device never exhibits any unusual behavior, it would be difficult to identify an attacker simply by checking the status of the block device.
All systems under the control of sysadmins should have cryptsetup, the package supporting LUKS, upgraded to avoid data leakage.
So, I guess I'll just patch everything up and keep going...?
Exactly. Replacing the affected package is something that every system administrator should do on their systems. However, for some sysadmins, this may be more difficult than it appears. To what sysadmins does this pose a challenge? Those who are still relying on CentOS 8 have been identified.
The bug was known to the majority of vendors ahead of time, and as a result, they have already provided their distributions with patched packages. CentOS is supported by Red Hat, and so is Ubuntu. The LUKS flaw will not be fixed in CentOS 8 because the operating system is no longer officially supported.
The outlook for CentOS 8 users is bleak, to say the least. Due to a widely publicized flaw, unpatched systems are vulnerable to data theft. It's a serious situation, and you should either deploy the most recent patched version of the affected package or find a way to patch it yourself.
When confidential information is at risk, there is no option but to take action. To prevent unauthorized access, you're using a full disk encryption solution like LUKS to protect all of your private data. This would have been the case anyway.
If you're still running CentOS 8, here are your patching options.
Sysadmins using affected Linux systems that are past their expiration date can choose between two options. Alternatively, you can download the project's source code and compile it on your own, creating a new system package. Alternatively, you can choose to sign a contract with a third-party vendor that will supply the missing patches.
There are disadvantages to building everything locally. If you're looking for a specific distribution, you'll need to modify the original project's source code. There are peculiarities specific to each distribution or group of distributions. The RHEL family, which includes CentOS, will have the same quirks as well.
Such things as service start configurations and settings are included in this category. It's up to your local team to make these adjustments. Whether or not your local IT team has the required expertise is a different matter. Similarly, because tech teams are often pressed for time, your own patching efforts may be put on hold. Please always prefer using distro-specific build tools rather than manually configuring cryptsetup, as stated on the LUKS project page itself.
Your best option is to look into extended support vendors, which are dependable, cost-effective, and simple to use. To that end, TuxCare offers Extended Lifecycle Support. End-of-life distributions such as CentOS 8 is patched promptly by TuxCare.
Full patch support is also included. TuxCare patches are just as easy to deploy as patches provided by the vendor.
You must take action immediately.
In the event that you choose not to seek outside assistance, you must still do something to protect your systems from the new vulnerability immediately. Commit to compiling cryptsetup and its dependencies locally and deploying them to all your systems, if you must.
But this isn't the last CVE that affects CentOS 8 to be discovered. To give you an idea of the scope of the problem, CentOS 6 systems are still susceptible to security flaws even today. How long-term viable is it to deal with a constant stream of CentOS 8 CVEs?
The reason you're still using CentOS 8 may be that you've been unable to upgrade for whatever reason. Compatibility, support, or any of a number of other factors could be to blame.
Extended Lifecycle Support from TuxCare makes patching easier for your IT staff, more secure for your security professionals, and compliant with regulatory requirements for your company even after the EOL date has passed. It's a good way to stay safe from new CentOS 8 CVEs while you decide whether or not to switch to a new operating system.
Post a Comment
Your suggestions and comments are welcome