ghsa-f5p4-p5q5-jv3h
Vulnerability from github
Summary
A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the secure persistent volume feature. The guest will open the volume and write secret data using a volume key known to the attacker.
LUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:
- Opens (cryptsetup open) without error using any passphrase or token
- Records all writes in plaintext (or ciphertext with an attacker-known key)
Details
Contrast uses cryptsetup to setup secure persistent volumes, using the secret seed as key for the cryptsetup encryption. To do so the Contrast Initializer will invoke the cryptsetup CLI. If the device provided by Kubernetes is a identified as cryptsetup device, the Initializer assumes a pod restart happened and the device was previously encrypted with the secret seed. The Initializer will try to open the device, and assume it is protected if the operation succeeds. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.
Cryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the cipher_null-ecb algorithm in the keyslot encryption field.
Impact
Using a maliciously crafted cryptsetup device, an attacker can read confidential data that was written to the persistent volume that should have been protected by encryption.
Notice that Contrast's persistent volumes weren't integrity protected, so the integrity impact of this attack isn't considered.
Patches
A partial fix landed in cryptsetup version 2.8.1, disabling null ciphers in keyslots when the user passphrase is nonempty. Contrast shipped this cryptsetup version shortly after it has been released upstream, in Contrast version v1.12.1.
However, LUKS header parsing and interpretation remains a large attack surface. Attackers may still be able to modify LUKS headers in other ways, such as triggering automatic reencryption or downgrading to weak ciphers. As a long term hardening solution, LUKS disks is encrypted in detached header mode. The detached header resides in a tmpfs file inside guest RAM, and is checked before it is used to open the device. This has been implemented in #1731 and released as part of Contrast v1.13.0.
In addition, we added integrity protection for secure persistent storage as a new feature in #1734, which was also shipped as part of v1.13.0.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/edgelesssys/contrast"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-28T17:49:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the [secure persistent volume](https://docs.edgeless.systems/contrast/howto/encrypted-storage) feature. The guest will open the volume and write secret data using a volume key known to the attacker. \n\nLUKS2 volume metadata is (a) not authenticated and (b) supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:\n\n- Opens (cryptsetup open) without error using any passphrase or token\n- Records all writes in plaintext (or ciphertext with an attacker-known key)\n\n### Details\n\nContrast uses cryptsetup to setup secure persistent volumes, using the secret seed as key for the cryptsetup encryption. To do so the Contrast Initializer will invoke the `cryptsetup` CLI. If the device provided by Kubernetes is a identified as cryptsetup device, the Initializer assumes a pod restart happened and the device was previously encrypted with the secret seed. The Initializer will try to open the device, and assume it is protected if the operation succeeds. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.\n\nCryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the `cipher_null-ecb` algorithm in the keyslot `encryption` field.\n\n### Impact\n\nUsing a maliciously crafted cryptsetup device, an attacker can read confidential data that was written to the persistent volume that should have been protected by encryption.\n\nNotice that Contrast\u0027s persistent volumes weren\u0027t integrity protected, so the integrity impact of this attack isn\u0027t considered.\n\n### Patches\n\nA partial fix landed in [cryptsetup version 2.8.1](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/docs/v2.8.1-ReleaseNotes#L14), disabling null ciphers in keyslots when the user passphrase is nonempty. Contrast shipped this cryptsetup version shortly after it has been released upstream, in [Contrast version v1.12.1](https://github.com/edgelesssys/contrast/releases/tag/v1.12.1).\n\nHowever, LUKS header parsing and interpretation remains a large attack surface. Attackers may still be able to modify LUKS headers in other ways, such as triggering automatic reencryption or downgrading to weak ciphers. As a long term hardening solution, LUKS disks is encrypted in detached header mode. The detached header resides in a tmpfs file inside guest RAM, and is checked before it is used to open the device. This has been implemented in [#1731](https://github.com/edgelesssys/contrast/pull/1731) and released as part of [Contrast v1.13.0](https://github.com/edgelesssys/contrast/releases/tag/v1.13.0).\n\nIn addition, we added integrity protection for secure persistent storage as a new feature in [#1734](https://github.com/edgelesssys/contrast/pull/1734), which was also shipped as part of [v1.13.0](https://github.com/edgelesssys/contrast/releases/tag/v1.13.0).",
"id": "GHSA-f5p4-p5q5-jv3h",
"modified": "2025-11-05T22:11:22Z",
"published": "2025-10-28T17:49:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-f5p4-p5q5-jv3h"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/pull/1731"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/commit/2252a231d570c2dce10a33660452b0bfc3c43958"
},
{
"type": "PACKAGE",
"url": "https://github.com/edgelesssys/contrast"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4078"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Contrast has insecure LUKS2 persistent storage partitions may be opened and used"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.