Okay, on the userspace side, we need to provide a way to "fix" affected files, where kernel data has been leaked into the encrypted file headers, once the user is running a fixed kernel.
I have created a small shell script, ecryptfs-rewrite-file, which will do this, and a manpage with instructions. You can view the latest source of this shell script in the source control at: * http://bazaar.launchpad.net/~ecryptfs/ecryptfs/ecryptfs-utils/annotate/head%3A/src/utils//ecryptfs-rewrite-file And this manpage explains how the script is intended to run: * http://bazaar.launchpad.net/~ecryptfs/ecryptfs/ecryptfs-utils/annotate/head%3A/doc/manpage//ecryptfs-rewrite-file.1 Basically: $ cd $YOUR_MOUNT_POINT $ find . -xdev -print0 | xargs -r -0 /usr/bin/ecryptfs-rewrite-file $ ecryptfs-umount-private $ sync This will mostly affect Ubuntu Jaunty Alpha/Beta users. I will coordinate with the Ubuntu Security Team for the best mechanism for communicating these instructions. This script will be in the ecryptfs-utils-73 release for merging by other distros too. :-Dustin ** Changed in: ecryptfs-utils (Ubuntu) Status: Confirmed => In Progress ** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Importance: Undecided => Critical Assignee: (unassigned) => Tim Gardner (timg-tpi) Status: New => In Progress Target: None => ubuntu-9.04 -- ecryptfs stores ram contents in plaintext in the container as padding https://bugs.launchpad.net/bugs/345544 You received this bug notification because you are a member of eCryptfs, which is a direct subscriber. Status in eCryptfs - Enterprise Cryptographic Filesystem: In Progress Status in “ecryptfs-utils” source package in Ubuntu: In Progress Status in “linux” source package in Ubuntu: In Progress Status in ecryptfs-utils in Ubuntu Jaunty: In Progress Status in linux in Ubuntu Jaunty: In Progress Bug description: Environment: Linux flst61nb 2.6.28-gentoo-r2 #4 SMP Tue Mar 17 12:38:43 CET 2009 x86_64 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz GenuineIntel GNU/Linux When looking at the contents of the encrypted files I see random content of my System RAM. Including the content of ~/.ssh/known_hosts, firefox Cache (html page headers) etc. It seems ecryptfs fails in padding the files, it even seems that the padding is done after encryption. To reproduce: # mkdir ecryptfs_base # sudo mount -t ecryptfs ecryptfs_base ecryptfs_base # cd ecryptfs_base/ # for ((i=0;i<10000;i++)); do dd if=/dev/zero of=$(date +"%s-$i") bs=1 count=1 >/dev/null 2>&1; done # cd .. # sudo umount ecryptfs_base/ # strings ecryptfs_base/* Most of the files contain the String _CONSOLE, some contain just filenames, some the contents of random files. An attacker with access to the underlying filesystem thus can find random data of the system using ecryptfs lying around in plain inside the files. I also found the contents of /etc/mtab in some of the files... /tmp/ecryptfs_base /tmp/ecryptfs_base ecryptfs rw,ecryptfs_sig=90fe7cccfdb1a0ba,ecryptfs_cipher=aes,ecryptfs_key_bytes=16 0 0 so one can find out which key was used to mount the fs In addition I think there could also be private data of privileged processes run by root in some of the files, so an attacker could use ecryptfs to read (kernel?) memory and might find a password or similar. _______________________________________________ Mailing list: https://launchpad.net/~ecryptfs Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs More help : https://help.launchpad.net/ListHelp
