CVE-2023-0751

moderate-risk
Published 2023-02-08

When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key.

Do I need to act?

-
0.41% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (18)

Affected Vendors

Freebsd

References (3)

Mitigation https://security.FreeBSD.org/advisories/FreeBSD-SA-23:01.geli.asc
Mitigation https://security.FreeBSD.org/advisories/FreeBSD-SA-23:01.geli.asc
https://security.netapp.com/advisory/ntap-20230316-0004/
45
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 2/34 · Minimal
Exposure 19/34 · Moderate