ghsa-hq76-6gh2-5g4q
Vulnerability from github
Published
2025-10-27 16:20
Modified
2025-10-27 22:31
Severity ?
8.3 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Constellation has insecure LUKS2 persistent storage partitions which may be opened and used
Details

Summary

A malicious host may provide a crafted LUKS2 volume to a confidential computing guest that is using the OpenCryptDevice feature. The guest will open the volume and write secret data using a volume key known to the attacker. The attacker can also pre-load data on the device, which could potentially compromise guest execution.

LUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume: - Opens (cryptsetup open) without error using any passphrase or token - Records all writes in plaintext (or ciphertext with an attacker-known key) - Contains arbitrary data chosen by the attacker

Details

The Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the libcryptsetup function crypt_activate_by_passhrase. If the VM is successful in opening the partition with the disk encryption key, it treats the volume as confidential. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1, it is possible that the opened volume is not encrypted at all.

Cryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the cipher_null-ecb algorithm in the keyslot encryption field.

Impact

A LUKS2 disk encrypted with a master key, which is in turn encrypted with user passwords stored in some number of keyslots. By creating a malicious disk which sets the keyslot encryption algorithm to ”crypto_null-ecb”, an attacker can construct a disk such that keyslot decryption does not depend in any way on the enclave-held secret data. When a confidential guest opens such a device using cryptsetup open, the mapped disk is created without error, and any further writes to the disk are encrypted using an attacker-controlled key.

Patches

To protect against this and similar attacks, Constellation now performs detached reading of LUKS headers. The header is copied into the encrypted memory of the CVM and then verified. The verified header is then used to open the encrypted LUKS device in detached header mode. This was implemented in https://github.com/edgelesssys/constellation/pull/3927 and release as part of Constellation v2.24.0.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.23.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgelesssys/constellation/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-27T16:20:25Z",
    "nvd_published_at": "2025-10-27T20:15:53Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA malicious host may provide a crafted LUKS2 volume to a confidential computing guest that is using the [OpenCryptDevice](https://github.com/edgelesssys/constellation/blob/6eff250f16f8ae48221d412550e4a64a4bf0d77b/csi/cryptmapper/cryptmapper.go#L89) feature. The guest will open the volume and write secret data using a volume key known to the attacker. The attacker can also pre-load data on the device, which could potentially compromise guest execution.\n\n\nLUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume such that the volume:\n- Opens (cryptsetup open) without error using any passphrase or token\n- Records all writes in plaintext (or ciphertext with an attacker-known key)\n- Contains arbitrary data chosen by the attacker\n\n\n### Details\nThe Constellation CVM image uses LUKS2-encrypted volumes for persistent storage. When opening an encrypted storage device, the CVM uses the `libcryptsetup`  function [crypt_activate_by_passhrase](https://github.com/martinjungblut/go-cryptsetup/blob/fd0874fd07a6e477f0a4d18f2e80234983afe74f/device.go#L261). If the VM is successful in opening the partition with the disk encryption key, it treats the volume as confidential. However, due to the unsafe handling of null keyslot algorithms in the cryptsetup 2.8.1,  it is possible that the opened volume is not encrypted at all.\n\nCryptsetup prior to version 2.8.1 does not report an error when processing LUKS2-formatted disks that use the `cipher_null-ecb` algorithm in the keyslot `encryption` field.\n\n### Impact\n\nA LUKS2 disk encrypted with a master key, which is in turn encrypted with user passwords stored in some number of keyslots. By creating a malicious disk which sets the keyslot encryption algorithm to `\u201dcrypto_null-ecb\u201d`, an attacker can construct a disk such that keyslot decryption does not depend in any way on the enclave-held secret data. When a confidential guest opens such a device using `cryptsetup open`, the mapped disk is created without error, and any further writes to the disk are encrypted using an attacker-controlled key.\n\n### Patches\n\nTo protect against this and similar attacks, Constellation now performs detached reading of LUKS headers. The header is copied into the encrypted memory of the CVM and then verified. The verified header is then used to open the encrypted LUKS device in detached header mode. This was implemented in https://github.com/edgelesssys/constellation/pull/3927 and release as part of [Constellation v2.24.0](https://github.com/edgelesssys/constellation/releases/tag/v2.24.0).",
  "id": "GHSA-hq76-6gh2-5g4q",
  "modified": "2025-10-27T22:31:49Z",
  "published": "2025-10-27T16:20:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/constellation/security/advisories/GHSA-hq76-6gh2-5g4q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/constellation/pull/3927"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/constellation/commit/bb8d2c8a5c0a0a6510d2cc43055be21f4a3ab83c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edgelesssys/constellation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/constellation/releases/tag/v2.24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Constellation has insecure LUKS2 persistent storage partitions which may be opened and used"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.