Death, taxes, and new CVEs… those are all things we can be very certain about in life. For users of CentOS 8, the inevitable has now happened: a new CVE was reported covering a serious vulnerability that affects a broad group of users. Users of CentOS 8 won’t get access to an official patch due to EOL.
If you’re on CentOS 8 right now you’re in a tight spot. You can’t continue to run an unsecured, non-compliant workload indefinitely – particularly when such a major vulnerability has been identified. Nor can you rush your migration, because that could have disastrous consequences of its own.
In this article we outline what the latest LUKS vulnerability is, why it poses such a significant danger – and explain how TuxCare’s live patching service can help tide you over until you’re ready to migrate.
Understanding the LUKS bug
Just a few weeks ago, a new bug was identified within a key encryption system that many users of Linux-based operating systems depend on. This bug affects Linux Unified Key Setup (LUKS) which is used for a few things including full disk encryption. It ensures that anyone with physical access to your machine won’t be able to access data (easily) simply by removing physical media.
However, it’s emerged that LUKS has a bug that undermines its effectiveness. One of the key features of LUKS is that you’re able to change the encryption key on the fly, meaning you don’t need to take your system offline when you change the key. Instead, on changing the key, LUKS simply starts to re-encrypt the volume – even if it’s in use.
The bug found in LUKS, reported under CVE-2021-4122, means that someone with the right knowledge can engineer an attack that allows them to decrypt secured content in your workloads without being in possession of the secure key file – and you won’t even know that it happened. This Sophos article has an in-depth description of how the flaw works.
Fixing the LUKS flaw
Clearly, any flaw that undermines the effectiveness of full disk encryption is not a good thing. Yes, in theory, most encryption algorithms can be beaten if you throw enough computing power at it. But you definitely don’t want to make it easy for attackers – and unfortunately, the flaw found in LUKS does just that.
Like the countless other Linux CVEs we know about, the new bug is getting patched by all the major vendors. In fact, due to the relatively severe nature of the bug and its urgency, most vendors have already issued patches. It’s not hard to fix either – you just need to replace the affected package on your systems, and you’re done.
However, if the OS vendor does not release an updated package, you’re stuck. Sure, if you have the internal expertise, you could download the upstream source code and compile a patch yourself, but relatively few organisations can do that. Besides, it’s hardly a viable option in the long run given the number of Linux-related CVEs we see every year and, as we know, there are no more official patches coming for CentOS 8.
The LUKS bug and CentOS 8
An interesting aspect of the LUKS bug and its implications for CentOS users is that it only affects users of CentOS 8. Earlier releases are not affected by the vulnerability because cryptsetup in CentOS 7 and earlier versions do not support live (aka online) re-encryption.
There’s a sense of irony here as CentOS 8 is, as we know, now end of life with official support ending in December 2021. On the flipside, CentOS 7 still receives official support – including critical security updates – and will continue to do so. So, while the operating system that is unaffected by CVE-2021-4122 is continuing to receive support, the version of CentOS that’s now vulnerable, well, there’ll be no patch from Red Hat.
If you’re still on CentOS 8 you’re in a difficult position. We’ve written an article about the risks of migrating – it just isn’t that easy, and you should not be migrating in a rush. But that leaves you in a really tough spot: you can’t migrate away from CentOS 8 overnight, but your workloads are now exposed to a significant vulnerability.
How TuxCare’s extended support bridges the gap
With its roots in KernelCare, the established live patching service, TuxCare delivers critical support for users of end-of-life operating systems – including Oracle Linux, Ubuntu, and CentOS. It’s a straightforward service: where your OS has lost official support from its vendor, TuxCare steps in and provides the same patches and fixes your vendor used to – and it does so beyond the official support window.
In the case of CentOS 8, official support ended on 31 December 2021. Any organization that still relies on CentOS 8 won’t receive patches for vulnerabilities such as the newly discovered LUKS flaw. However, TuxCare offers extended support for CentOS 8 through end 2025. This extended support covers you just like official vendor support did: when a security risk is identified, TuxCare releases a patch – and sometimes even faster than the vendor would have.
Getting started with TuxCare is simple. It doesn’t require major or even minor changes to your workloads, so you don’t need to go through a testing or migration process. All it takes to secure your end of life CentOS 8 workloads is running a simple script to change the location of repositories. Doing so is a rebootless process, there’s no disruption involved, and your users won’t even know that you’ve switched on TuxCare extended lifecycle support.
Don’t wait – act
Whether you choose to develop your own patch in house, hire a development team to do it for you, or choose to use TuxCare, you need to do something. Simply sitting back and ignoring what’s going to be a mounting list of vulnerabilities isn’t an option – CVE-2021-4122 is not the first, nor it will be the last, vulnerability that will impact CentOS 8 as we move forward. Besides, you may have compliance obligations and relying on CentOS 8 can leave you in breach of PCI DSS, HIPAA and other standards.
TuxCare is simple to get started with – and it’s affordable too, whether you have a few machines that require extended lifecycle coverage, or entire fleets. Have any questions about extended CentOS 8 support from TuxCare? Get in touch with us here.