Ubuntu Server 20.04 installer showed plaintext encryption password in log

The Ubuntu Server 20.04 installer contained a vulnerability that revealed the encryption password of a disk volume after installation in plaintext in the installation log. The bug has since been resolved.

The vulnerability, which could allow unauthorized users to read the passwords, is being given the code CVE-2020-11932 . Canonicals Subiquity installer, which is only used in the server variant of Ubuntu, recorded the LUKS encryption passwords in plaintext in the installation log. Then the passphrase was written to the disk, making it visible in some files in the /var/log/installerdirectory after installation , a user reports . This may allow unauthorized users to obtain the passphrase, according to Canonical .

The leak has been resolved in update v20.05.2 . That update was made in the Snap Store. Users who attempt to install Ubuntu Server 20.04 with an active internet connection will be given the option to update the Subiquity installer upon installation. As mentioned before, Ubuntu 20.04 for desktops does not use Subiquity and is therefore not affected by the leak.

Canonical has been working on its Subiquity installer in recent years. With the release of Ubuntu Server 20.04, the company made a definitive switch to its own installer, Phoronix writes . Previously, users could choose between Subiquity and the default Debian installer, but this is no longer possible.

Leave a Reply

Your email address will not be published.

%d bloggers like this: