+- Maui Forums (https://forums.mauilinux.org)
+-- Forum: Community (https://forums.mauilinux.org/forumdisplay.php?fid=7)
+--- Forum: General Talk (https://forums.mauilinux.org/forumdisplay.php?fid=80)
+--- Thread: CVE-2016-4484: Cryptsetup Initrd root Shell (/showthread.php?tid=24219)
CVE-2016-4484: Cryptsetup Initrd root Shell - kdemeoz - 9th January 2017
Posting this here FYI of other Maui users, in case it affects you.
Extracts:
"A vulnerability in Cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup) ... This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse" ... http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
"If you use Debian or Ubuntu/ (probably many derived distributions are also vulnerable, but we have not tested), and you have encrypted the system partition, then your systems is vulnerable" ... http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
"It could be quite easy to bypass the authentication procedures on some Linux systems just by holding down the Enter key for around 70 seconds. In this way, it is possible to open a shell with root privileges and gain complete remote control over encrypted Linux machine.The problem is related to a security vulnerability, tracked as CVE-2016-4484, in the implementation of the Cryptsetup utility" ... http://securityaffairs.co/wordpress/53494/breaking-news/cve-2016-4484-linux.html
I think my systems are immune as i didn't install Maui with LUKS full-disk encryption during setup, only /home with eCryptFS during setup, & a separate /DATA partition with eCryptFS post-installation. However anyone with full-disk encryption might want to read the linked info.
RE: CVE-2016-4484: Cryptsetup Initrd root Shell - leszek - 9th January 2017
Quote:This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouseIt is exactly the opposite. Those who run a full disk encryption and need grub to decrypt the boot partition have nothing to worry as you then need to first crack the grub password/ decrypt stuff.
The issue in itself is not so major as some want to make it as even on systems with non encrypted /boot you have the option to access this non encrypted /boot (with physical access) and can modify the initrd to log keystrokes for example.
You are not able to access the / partition however as it is encrypted. As the busybox shell of initramfs is very basic you don't even get a text editor in it to modify the shell scripts.
Even simple network access is not something trivial to configure as at least in current iterations of debian and ubuntu a normal dhclient command will not make wget work with dns entries. So you still need an IP adress to download something malicious.
All in all this problem exists for several years already and I personally don't regard it as a bug but rather a debugging feature build into the initramfs scripts.
Btw. there is also the debug flag that allows you to go directly into initramfs if you want.
RE: CVE-2016-4484: Cryptsetup Initrd root Shell - kdemeoz - 9th January 2017
Cool, thanks. BTW, i posted it here purely for info... i was not trying to start any forest-fire :-)