[dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell
jonas at freesources.org
Wed Nov 16 01:08:31 CET 2016
Am 16.11.2016 um 00:52 schrieb Arno Wagner:
> On Wed, Nov 16, 2016 at 00:28:50 CET, Sven Eschenberg wrote:
>> The CVE however assumed, that you can not simply access the internal
>> parts of the machine. Still, more fuzz than substance in that CVE,
>> if you ask me.
> My take also. Probably some ego-boosting going on
> somewhere in this affair. The whole set-up seems
> contrieved to me and not of general applicability
> enough to make this a CVE or even a real defect.
> At best, I see a mild violation of the "Principle of
> least surprise". Anybody that really needs the
> "security" the fix provides has far bigger problems.
I agree that the whole issue is slightly overexaggerated and there's a
lot of clickbaiting going on in the news about it. 
Still I agree with the reporters that there are special scenarios where
the discovered flaw can be considered as vulnerability: For setups where
the attacker has physical access to keyboard but not to the computer and
both BIOS and bootloader are locked.
This is a very special setup but I can imagine that it exists at public
computers like in libraries, universities, bars, ...
While I don't agree on the way this issue was handled and I'm not
convinced that it deserves a CVE, I agree that we (as the distribution
developers/maintainers) should fix it in some way.
At the moment I'm inclined to suggest to propose a change to
initramfs-tools which disables the dropping to emergency shell per
default and reboots/freezes instead. Dropping to emergency shell in case
of an error during initramfs could be activated manually through a boot
 an extreme example is the headline "Major Linux security hole found
in Cryptsetup script for LUKS disk encryption", found here:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the dm-crypt