Can you explain this vulnerability to me?

This vulnerability affects dstack versions prior to 0.5.4, where a malicious host can provide a specially crafted LUKS2 data volume to a dstack CVM as the /data mount. The guest system opens this volume and writes secret data using a volume key known to the attacker, leading to disclosure of sensitive information such as Wireguard keys. Additionally, the attacker can preload data on the device, potentially compromising guest execution. The root cause is that LUKS2 volume metadata is not authenticated and supports null key-encryption algorithms, allowing an attacker to create a volume that opens without error using any passphrase, records all writes in plaintext or ciphertext with an attacker-known key, or contains arbitrary attacker-chosen data. Version 0.5.4 patches this issue by addressing LUKS headers.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to disclosure of secret information such as Wireguard keys and other sensitive data from the guest system. It also allows an attacker to preload arbitrary data on the device, which could compromise the execution of the guest environment. This can result in unauthorized access, data leakage, and potential compromise of the containerized applications running within the dstack environment.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Upgrade dstack to version 0.5.4 or later, which contains a patch that addresses the LUKS headers vulnerability. Avoid using untrusted LUKS2 volumes as the /data mount in dstack CVMs to prevent malicious crafted volumes from causing secret data disclosure.

Useful 0 Not Useful 0