Skip to main content

CVE-2022-25327: CWE-255 Credentials Management in Google LLC fscrypt

Medium
Published: Fri Feb 25 2022 (02/25/2022, 11:00:14 UTC)
Source: CVE
Vendor/Project: Google LLC
Product: fscrypt

Description

The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above

AI-Powered Analysis

AILast updated: 06/20/2025, 13:18:19 UTC

Technical Analysis

CVE-2022-25327 is a vulnerability in the PAM (Pluggable Authentication Module) component of Google's fscrypt, a filesystem encryption utility widely used on Linux systems to protect data at rest. The vulnerability arises because the PAM module does not properly validate fscrypt metadata files. This flaw allows a local user to create maliciously crafted fscrypt metadata files that interfere with the authentication process, effectively preventing other users from logging into the system. The root cause is inadequate validation of credentials-related metadata, categorized under CWE-255 (Credentials Management). Exploitation requires local access to the system, where an attacker can generate or modify fscrypt metadata files to trigger a denial of service (DoS) condition. This DoS is targeted at user authentication, impacting system availability by locking out legitimate users. The vulnerability does not appear to allow privilege escalation or direct data compromise but disrupts normal operations by denying access. The issue affects unspecified versions of fscrypt prior to version 0.3.3, which includes the fix. No known exploits have been reported in the wild as of the publication date (February 25, 2022).

Potential Impact

For European organizations, this vulnerability primarily threatens system availability and operational continuity. Since fscrypt is used to encrypt sensitive data on Linux systems, many enterprises, including those in finance, healthcare, and critical infrastructure sectors, rely on it for data protection. A local attacker exploiting this vulnerability could deny access to legitimate users, potentially halting business operations, delaying critical processes, or disrupting services. While the vulnerability does not directly compromise confidentiality or integrity, the resulting denial of service could have cascading effects, such as delayed incident response or inability to access encrypted data. Organizations with multi-user Linux environments, shared workstations, or systems where local user access is common are particularly at risk. The impact is heightened in environments with strict uptime requirements or where user authentication is critical for operational workflows. Additionally, the inability to log in could complicate incident recovery and remediation efforts.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should prioritize upgrading fscrypt to version 0.3.3 or later, where the issue is resolved. Beyond patching, organizations should implement strict access controls to limit local user permissions, minimizing the risk of unauthorized users creating or modifying fscrypt metadata files. Employing mandatory access control (MAC) frameworks such as SELinux or AppArmor can further restrict the ability of users to alter sensitive filesystem metadata. Regular auditing and monitoring of fscrypt metadata directories for unauthorized changes can provide early detection of exploitation attempts. Additionally, organizations should enforce strong user account management policies, including the principle of least privilege and regular review of local user accounts. In environments where local user access is necessary, consider isolating critical systems or using multi-factor authentication to reduce the risk of local exploitation. Finally, maintaining comprehensive backups of critical system configurations and user data will facilitate recovery in case of a denial of service event.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Google
Date Reserved
2022-02-18T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d984bc4522896dcbf7fbc

Added to database: 5/21/2025, 9:09:31 AM

Last enriched: 6/20/2025, 1:18:19 PM

Last updated: 8/15/2025, 7:23:02 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats