[dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell
rnicholsNOSPAM at comcast.net
Tue Nov 15 16:18:51 CET 2016
On 11/15/2016 07:32 AM, Sven Eschenberg wrote:
> Obviously it is not a bug in cryptsetup, but rather in dracut and some
> distributions initrd scripts. What's really annoying about the CVE is
> the fact, that it is mostly irrelevant. If I can get to the password
> entry of an initrd, I obviously have control over the boot process. If I
> do have control over the boot process I have a splendid variety of
> options to do all the things described in the CVE.
> I wonder why the authors of the CVE recommend to freeze the system,
> instead of adding auth to get a shell. Seems quite stupid to completely
> remove the ability to investigate problems.
The boot process can be configured to deny that control (BIOS configured
to boot from the internal drive only, GRUB set up to require a password
for all except the default selection).
On a Red Hat system with an encrypted root filesystem, I get 5 attempts
to enter the encryption password. Then the system locks up, and the only
options are to (a) press <ESC> to dismiss the graphical boot screen and
see a "wrong password" message, and/or (b) press CTRL-ALT-DEL to reboot.
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the dm-crypt