October 29, 2020

CVE-2020-11932: Ubuntu server installer logs LUKS passwords used on the system

1 min read

The latest version of the Ubuntu Server installer leaked the password into its log file. Subiquity is the installer for Ubuntu Server. It has been around for almost 3 years, but it was not used as the default support tool until Ubuntu 20.04 released at the end of last month. Subiquity has been maintained relatively crudely, but now it has become the default Ubuntu Server installer, which means that developers need to pay more attention to its maintenance, and soon a developer discovered one of the serious vulnerabilities.

Ubuntu 16.04 LTS Kernel Patch

This vulnerability is manifested as: the password of the LUKS volume will be displayed in various outputs, including autoinstall-user-data curtin-install-cfg.yaml curtin-install.log installer-journal.txt subiquity-curtin-install.conf.

The vulnerability is marked as CVE-2020-11932 with the severity of “Critical”. The developer has already fixed this vulnerability.