HomeUpdateWith new vulnerabilities emerging everyday, CentOS too got added on the list

With new vulnerabilities emerging everyday, CentOS too got added on the list

-

Last Updated on 27/01/2022 by Nidhi Khandelwal

In life, there are three things you can count on: death, taxes, and new CVEs. The inevitable has happened for CentOS 8 users, and it didn’t take long. Something spectacularly failed just two weeks after the announced end of life, putting CentOS 8 users at the risk of a severe attack — and with no help from CentOS.

With new vulnerabilities emerging everyday, CentOS too got added on the list 1

You’d assume that by now, corporations would have moved away from CentOS 8 to an OS that is actively supported by suppliers, and that this issue would no longer affect a substantial number of firms. Vendor support is, after all, crucial for security and compliance.

So, what exactly is LUKS? LUKS (Linux Unified Key Setup) is a method used in Linux-based systems to provide full disc encryption, among other things. Many “best practise” guidelines promote it as a critical system hardening option for security-conscious IT companies.

Having a completely encrypted disc (or “block device” in Linux “speak) assures that data is safe from prying eyes even when it is not in use.

With new vulnerabilities emerging everyday, CentOS too got added on the list 2

TPM can be used to further enhance security by connecting a certain block device to a specific machine (Trusted Platform Module). This increases the difficulty for an attacker in physically extracting encrypted data from a machine and plugging it into a high-performance device in order to brute-force access to the data. Though, as always, the likelihood of success is dependent on computational capability, encryption scheme choice, and pure luck.

The ability to modify the key used to encrypt a device on the fly is a crucial feature of LUKS. This would be done, for example, in high-security workplaces for planned key rotations.

The device remains operational during the key changing process thanks to this on-the-fly re-encryption capability. It’s known as “online re-encryption,” and it refers to the ability to re-encrypt a disc with a different key while it’s connected to the internet and in use.

During this process, a vulnerability was discovered. It turns out that if you know what you’re doing, you can carry out this procedure even if you don’t have access to the original, current password. You can request re-encryption even if you don’t have a password.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

This is how Russia is being punished for the war

0
The developer of the popular "node-ipc" NPM package published a new modified version to denounce Russia's invasion of Ukraine, sparking concerns about open-source and...