Ubuntu Server 20.04 installer showed plaintext encryption password in log

The Ubuntu Server 20.04 installer contained a vulnerability that caused the encryption password of a disk volume to be displayed in plaintext in the installation log after installation. The bug has now been fixed.

The vulnerability, which allowed unauthorized users to read the passwords, is coded CVE-2020-11932. Canonicals Subiquity installer, which is only used in the server variant of Ubuntu, recorded the LUKS encryption passwords in plaintext in the installation log. The passphrase was then written to disk, making it visible in some files in the /var/log/installer directory after installation, one user reports. This may have allowed unauthorized users to get hold of the passphrase, according to Canonical.

The vulnerability has since been fixed in update v20.05.2. That update has been implemented in the Snap Store. Users attempting to install Ubuntu Server 20.04 with an active Internet connection will be given the option to update the Subiquity installer upon installation. Ubuntu 20.04 for desktops, as mentioned before, does not use Subiquity and is therefore not affected by the vulnerability.

Canonical has been working on its Subiquity installer for the past few years. With the release of Ubuntu Server 20.04, the company finally switched to its own installer, Phoronix writes. Previously, users could choose between Subiquity and the default Debian installer, but this is no longer possible.