Ubuntu's Server Installer Was Mistakenly Leaking Encrypted Storage Passphrase To Its Log

Written by Michael Larabel in Ubuntu on 12 May 2020 at 10:18 AM EDT. 20 Comments
With the recently released Ubuntu 20.04 LTS, the Ubuntu Server installer exclusively uses the "Subiquity" installer that Canonical has been working on in recent years in moving away from the classic Debian Installer. Unfortunately a security issue crept into Subiquity that has now been resolved.

Thankfully the Subiquity installer supports upgrading the installer software during the installation process as CVE-2020-11932 is now public as what was deemed a critical bug. Subiquity was logging the LUKS encrypted volume passwords via the installation log and in turn copying the passphrase to the disk, not necessarily within the encrypted volume, that could then be easily read/leaked from there.

For those using the Ubuntu Server installer, the issue is fixed in v20.05.2 and should be promoted to update when next firing up the installer with an active Internet connection.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week