CVE-2020-28638
📋 TL;DR
CVE-2020-28638 is a critical authentication bypass vulnerability in Tomb's password handling. When pinentry-curses is used with a non-empty DISPLAY environment variable, Tomb incorrectly uses a warning message as the encryption key instead of the actual password, allowing attackers to decrypt protected files. This affects all Tomb users running versions 2.0 through 2.7.
💻 Affected Systems
- Tomb
📦 What is this software?
Tomb by Dyne
⚠️ Risk & Real-World Impact
Worst Case
All encrypted files become accessible without authentication, exposing sensitive data to unauthorized users or attackers who can access the system.
Likely Case
Users who have configured Tomb with pinentry-curses and have DISPLAY set (common in GUI environments) will have their encrypted files protected with a predictable, known key instead of their actual password.
If Mitigated
If proper controls are in place (using pinentry-gtk/pinentry-qt or unsetting DISPLAY), the vulnerability is avoided and files remain properly encrypted.
🎯 Exploit Status
Exploitation requires access to encrypted files but uses a known, predictable key derived from the warning message.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tomb 2.8
Vendor Advisory: https://github.com/dyne/Tomb/issues/385
Restart Required: No
Instructions:
1. Update Tomb to version 2.8 or later. 2. Re-encrypt all existing tombs using the new version with proper passwords. 3. Destroy old vulnerable tomb files.
🔧 Temporary Workarounds
Use alternative pinentry
linuxSwitch from pinentry-curses to pinentry-gtk or pinentry-qt which properly handle DISPLAY environment variable.
sudo apt-get install pinentry-gtk
sudo update-alternatives --config pinentry
Unset DISPLAY variable
linuxClear DISPLAY environment variable before using Tomb to prevent the vulnerable code path.
unset DISPLAY
tomb [command]
🧯 If You Can't Patch
- Immediately re-encrypt all tombs using a non-vulnerable configuration (alternative pinentry or unset DISPLAY)
- Restrict access to tomb files and monitor for unauthorized decryption attempts
🔍 How to Verify
Check if Vulnerable:
Check Tomb version with 'tomb -v' and verify if between 2.0-2.7, and check if using pinentry-curses with DISPLAY set.Check Version:
tomb -vVerify Fix Applied:
After updating to Tomb 2.8+, create a test tomb and verify it cannot be opened with the warning message as password.📡 Detection & Monitoring
Log Indicators:
- Failed tomb operations with pinentry-curses warnings
- Unexpected successful tomb opens
Network Indicators:
- None - local vulnerability only
SIEM Query:
process.name='tomb' AND (event.action='open' OR event.action='close') AND NOT user.interactive=true