[Security] [PSA-1-1] PureOS OEM installer

Kyle Rankin kyle.rankin at puri.sm
Tue Dec 11 11:20:57 PST 2018 

Purism Security Advisory PSA-1-1 2018-12-11
PureOS OEM Installer

It was discovered that the PureOS OEM installer's post-install script had a
bug whereby the user's LUKS encryption passphrase was logged in
/var/log/auth.log. Because this was a bug in the PureOS OEM installer in
particular, it only affects Purism laptop customers who are still using the
OEM OS and have not reinstalled. It does *not* affect anyone who has
reinstalled PureOS themselves and has been fixed in the OEM installer
released on 2018-12-10 so will not affect any new customers.

Testing for the bug:

You can test whether your passphrase was logged by typing the following in
a terminal:

  sudo grep cryptsetup-helper /var/log/auth.log

Because this log does rotate, it's possible your passphrase was logged in a
prior file that was rotated and gzipped. In that case you can test with:

  sudo zgrep cryptsetup-helper /var/log/auth.log.*.gz

Impact:

Because the password was disclosed in a log file at the moment of install
and was owned by the root user and adm group, it would be visible only to
someone who had root privileges on the machine for the first four weeks the
laptop was used, after which the log file would have been rotated out.

Remediation:

The first step is to remove any traces of the passphrase from log files.

If your passphase does show up in any log files, you can remove it with:

  sudo rm -f /var/log/auth.log

or truncate it with:

  sudo bash -c '> /var/log/auth.log'

Alternatively if you discover the passphrase in a gzipped log file, just
remove that particular file instead.

If you are concerned that your LUKS password is compromised and want to
change it, you can change it from the GUI by launching the "Disks"
application on the desktop, selecting your hard drive from the left-hand
column and then selecting your main partition that is labeled with "LUKS"
(it should be the largest partition on your hard drive). Note that the
other, smaller LUKS partition is your swap partition and it does not have
to be changed, as it uses a random password that is rotated at each boot.

Once you have selected your partition, click the gear icon and select
"Change Passphrase" to change the passphrase. Figure 1 (attached) shows a
sample screenshot of what this looks like.

--
Kyle Rankin
Chief Security Officer
Purism, SPC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Figure1.png
Type: image/png
Size: 87495 bytes
Desc: not available
URL: <http://lists.puri.sm/pipermail/security/attachments/20181211/7255b17b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.puri.sm/pipermail/security/attachments/20181211/7255b17b/attachment.sig>

More information about the Security mailing list