CVE-2020-14382

Name of the Vulnerable Software and Affected Versions cryptsetup version 2.2.0

Description A bug was found in the LUKS2 format validation code of cryptsetup, specifically in the segments validation code in the hdr validate segments() function. This function is located in the file lib/luks2/luks2 json metadata.c. The issue arises from a lack of check for possible overflow on memory allocation used for the intervals array. As a result, the library can be tricked into expecting a successful allocation of less memory than originally expected. This can lead to reading data from a crafted image and writing it beyond the allocated memory, potentially allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations For cryptsetup version 2.2.0, consider disabling the hdr validate segments() function as a temporary workaround until a patch is available. Restrict access to the lib/luks2/luks2 json metadata.c module to minimize the risk of exploitation. Avoid using the intervals array in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.