[dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell

Sven Eschenberg sven at whgl.uni-frankfurt.de
Wed Nov 16 00:28:50 CET 2016

Am 16.11.2016 um 00:15 schrieb Michael Kjörling:
> On 15 Nov 2016 20:42 +0100, from sven at whgl.uni-frankfurt.de (Sven Eschenberg):
>>> Either way, you need the BIOS administrator password to get to an
>>> alternative boot device.
>> I wonder however how securely that password is stored?
> Almost certainly not securely at all. It certainly is easy to clear
> once you have physical access: All you need to do is get access to the
> motherboard and either remove/disconnect the CMOS battery, or set a
> jumper to a "CLEAR CMOS" or similarly labeled position. I would expect
> some modicum of protection such that the password isn't stored in
> clear text in NVRAM or flash readable to all and sundry, but I
> wouldn't expect anything much more sophisticated than an XOR with a
> fixed value, a CRC-32 checksum, or similar. The exact details almost
> certainly vary with BIOS implementations and there's no guarantee that
> there aren't implementations out there that actually do the right
> thing, but BIOS password storage methods is hardly a distinguishing
> feature among motherboard manufacturers. Don't expect a proper PBKDF.
> Think of the BIOS passwords (both user and administrator) not really
> as tamper-proofing measures as much as a tamper-evidence measures.
> Feel free to mentally s/BIOS/UEFI/g above if that's your
> open-at-the-top-container of hot-breakfast-beverage-of-choice.

That was more of a rhetoric question, to be honest. I have substantial 
doubts that passwords in the very space limited NVRAM are somehow 
cryptographically hashed or something. If you can recover the PW from 
the stored data however, then even tamper-evidence is effectively gone. 
isn't it?

And, let's call it firmware, that should cover for both, UEFI and 
classic BIOS, I think ;-).

The CVE however assumed, that you can not simply access the internal 
parts of the machine. Still, more fuzz than substance in that CVE, if 
you ask me.

More information about the dm-crypt mailing list