[dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell

Robert Nichols rnicholsNOSPAM at comcast.net
Tue Nov 15 16:18:51 CET 2016


On 11/15/2016 07:32 AM, Sven Eschenberg wrote:
> Obviously it is not a bug in cryptsetup, but rather in dracut and some
> distributions initrd scripts. What's really annoying about the CVE is
> the fact, that it is mostly irrelevant. If I can get to the password
> entry of an initrd, I obviously have control over the boot process. If I
> do have control over the boot process I have a splendid variety of
> options to do all the things described in the CVE.
>
> I wonder why the authors of the CVE recommend to freeze the system,
> instead of adding auth to get a shell. Seems quite stupid to completely
> remove the ability to investigate problems.

The boot process can be configured to deny that control (BIOS configured 
to boot from the internal drive only, GRUB set up to require a password 
for all except the default selection).

On a Red Hat system with an encrypted root filesystem, I get 5 attempts 
to enter the encryption password. Then the system locks up, and the only 
options are to (a) press <ESC> to dismiss the graphical boot screen and 
see a "wrong password" message, and/or (b) press CTRL-ALT-DEL to reboot.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.



More information about the dm-crypt mailing list