CVE-2023-0751

When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
freebsdfreebsd
12.3
freebsdfreebsd
12.3:p1
freebsdfreebsd
12.3:p2
freebsdfreebsd
12.3:p3
freebsdfreebsd
12.3:p4
freebsdfreebsd
12.3:p5
freebsdfreebsd
12.4
freebsdfreebsd
12.4:rc2-p1
freebsdfreebsd
12.4:rc2-p2
freebsdfreebsd
13.1
freebsdfreebsd
13.1:b1-p1
freebsdfreebsd
13.1:b2-p2
freebsdfreebsd
13.1:p1
freebsdfreebsd
13.1:p2
freebsdfreebsd
13.1:p3
freebsdfreebsd
13.1:p4
freebsdfreebsd
13.1:p5
freebsdfreebsd
13.1:rc1-p1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://security.FreeBSD.org/advisories/FreeBSD-SA-23:01.geli.asc
https://security.FreeBSD.org/advisories/FreeBSD-SA-23:01.geli.asc
https://security.netapp.com/advisory/ntap-20230316-0004/