FreeBSD Security Advisory FreeBSD-SA-15:08.bsdinstall

08/04/15, FreeBSD Security Advisory FreeBSD-SA-15:08.bsdinstall
From: FreeBSD Security Advisories <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

To: FreeBSD Security Advisories <>
Subject: FreeBSD Security Advisory FreeBSD-SA-15:08.bsdinstall
From: FreeBSD Security Advisories <>
Date: Tue, 7 Apr 2015 20:54:05 GMT
List-archive: <>
List-help: <>
List-id: "Moderated Security Notifications \[moderated, low volume\]" <>
List-post: <>
List-subscribe: <>, <>
List-unsubscribe: <>, <>

Hash: SHA512

FreeBSD-SA-15:08.bsdinstall                                 Security Advisory
                                                          The FreeBSD Project

Topic:          Insecure default GELI keyfile permissions

Category:       core
Module:         bsdinstall
Announced:      2015-04-07
Credits:        Pierre Kim
Affects:        FreeBSD 10.1.
Corrected:      2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
                2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
CVE Name:       CVE-2015-1415

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:>.

I.   Background

The GEOM ELI class, or geli(8) implements encryption on GEOM providers which
supports various cryptographic encryption and authentication methods as
well as hardware acceleration.  Each geli(8) provider has two key slots,
and each slot holds a copy of its master key encrypted by a keyfile and/or
a passphrase chosen by the system administrator.

The bsdinstall(8) installer is the default system installer of FreeBSD since

II.  Problem Description

The default permission set by bsdinstall(8) installer when configuring full
disk encrypted ZFS is too open.

III. Impact

A local attacker may be able to get a copy of the geli(8) provider's
keyfile which is located at a fixed location.

IV.  Solution

Note well: due to the nature of this issue, there is no way to fix this
issue for already installed systems without human intervention.  System
administrators are advised to assume that the keyfile have already been
leaked and a new keyfile is necessary.

The system administrator can create a new keyfile with the correct
permissions, and change the key slot that holds the master key encrypted
with the old keyfile.

For example, if the GELI provider is /dev/ada0, the system administrator
can do the following:

# umask 077
# dd if=/dev/random of=/boot/ bs=4096 count=1
# umask 022
# geli setkey -K /boot/ /dev/ada0p3
Enter new passphrase:
Reenter new passphrase:

(Repeat the geli setkey command if multiple providers are used)

# mv /boot/ /boot/encryption.key
# ls -l /boot/encryption.key

Make sure that the new /boot/encryption.key can only be read by root.

The FreeBSD stable and security branch (releng) and the changes are mainly
intended for system integrators who build their own installation image for
new installations.

V.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/10/                                                        r281230
releng/10.1/                                                      r281232
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://

Or visit the following URL, replacing NNNNNN with the revision number:


VI. References


The latest revision of this advisory is available at
Version: GnuPG v2.1.2 (FreeBSD)

_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Previous message sorted by date: FreeBSD Security Advisory FreeBSD-SA-15:09.ipv6
Next message sorted by date: FreeBSD Security Advisory FreeBSD-SA-15:10.openssl
Previous message sorted by thread: FreeBSD Security Advisory FreeBSD-SA-15:09.ipv6
Next message by thread: FreeBSD Security Advisory FreeBSD-SA-15:10.openssl
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jun 2015