Linux cryptographic filesystem EnCFS-based Cryptkeeper has set a single universal password on Debian 9. With this flaw under the hood, you just need to press alphabet “p” on your Debian system to decrypt locked content.
First reported by Virtuozzo’s senior software engineer Kirill Tkhai, the latest security issue has been published in Debian bug tracking mailing list. Tkhai considers that the flaw emerges the moment Cryptokeeper interacts with EncFS, which works as an FUSE-based cryptographic filesystem.
Cryptkeeper uses EncFS to enter a paranoia mode with simulated “p” keypress. The bug forces the code to pass parameters to EncFS and automatically set “p” as the default password.
“I do not know who is to blame, Cryptkeeper or EncFS, and even nothing about if the interface above exists (“p/n” before the password). But decrypting using “p” password works for any encrypted directory, created using Cryptkeeper,” Tkhai writes in a bug report.
Not widely in use
It is worth noting that the Cryptkeeper is not used by a large number of users. Even developers behind Cryptkeeper have abandoned the project sometime back.
A report by Debian developer Simon McVittie reveals that the bug was confirmed in upcoming Debian 9 but not in the current Debian 8 (Jessie). Likewise, the flaw works with the EncFS version 1.9.1.-3. Previous EncFS versions do not bring the same issue.
Debian maintainer has removed Cryptkeeper from the unstable version of Debian to avoid any mass impact. McVittie also recommends users to remove the app from their Linux distribution entirely.