Purism Security Advisory PSA-1-1 2018-12-11 PureOS OEM Installer

It was discovered that the PureOS OEM installer's post-install script had a bug whereby the user's LUKS encryption passphrase was logged in /var/log/auth.log. Because this was a bug in the PureOS OEM installer in particular, it only affects Purism laptop customers who are still using the OEM OS and have not reinstalled. It does *not* affect anyone who has reinstalled PureOS themselves and has been fixed in the OEM installer released on 2018-12-10 so will not affect any new customers.

Testing for the bug:

You can test whether your passphrase was logged by typing the following in a terminal:

sudo grep cryptsetup-helper /var/log/auth.log

Because this log does rotate, it's possible your passphrase was logged in a prior file that was rotated and gzipped. In that case you can test with:

sudo zgrep cryptsetup-helper /var/log/auth.log.*.gz

Impact:

Because the password was disclosed in a log file at the moment of install and was owned by the root user and adm group, it would be visible only to someone who had root privileges on the machine for the first four weeks the laptop was used, after which the log file would have been rotated out.

Remediation:

The first step is to remove any traces of the passphrase from log files.

If your passphase does show up in any log files, you can remove it with:

sudo rm -f /var/log/auth.log

or truncate it with:

sudo bash -c '> /var/log/auth.log'

Alternatively if you discover the passphrase in a gzipped log file, just remove that particular file instead.

If you are concerned that your LUKS password is compromised and want to change it, you can change it from the GUI by launching the "Disks" application on the desktop, selecting your hard drive from the left-hand column and then selecting your main partition that is labeled with "LUKS" (it should be the largest partition on your hard drive). Note that the other, smaller LUKS partition is your swap partition and it does not have to be changed, as it uses a random password that is rotated at each boot.

Once you have selected your partition, click the gear icon and select "Change Passphrase" to change the passphrase. Figure 1 (attached) shows a sample screenshot of what this looks like.

-- Kyle Rankin Chief Security Officer Purism, SPC