All of lore.kernel.org
 help / color / mirror / Atom feed
From: Robert Nichols <rnicholsNOSPAM@comcast.net>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell
Date: Tue, 15 Nov 2016 09:18:51 -0600	[thread overview]
Message-ID: <o0f90o$h18$1@blaine.gmane.org> (raw)
In-Reply-To: <ed9a2d2d-c90c-d6ed-9b2d-ac45e5bd5713@whgl.uni-frankfurt.de>

On 11/15/2016 07:32 AM, Sven Eschenberg wrote:
> Obviously it is not a bug in cryptsetup, but rather in dracut and some
> distributions initrd scripts. What's really annoying about the CVE is
> the fact, that it is mostly irrelevant. If I can get to the password
> entry of an initrd, I obviously have control over the boot process. If I
> do have control over the boot process I have a splendid variety of
> options to do all the things described in the CVE.
>
> I wonder why the authors of the CVE recommend to freeze the system,
> instead of adding auth to get a shell. Seems quite stupid to completely
> remove the ability to investigate problems.

The boot process can be configured to deny that control (BIOS configured 
to boot from the internal drive only, GRUB set up to require a password 
for all except the default selection).

On a Red Hat system with an encrypted root filesystem, I get 5 attempts 
to enter the encryption password. Then the system locks up, and the only 
options are to (a) press <ESC> to dismiss the graphical boot screen and 
see a "wrong password" message, and/or (b) press CTRL-ALT-DEL to reboot.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

  reply	other threads:[~2016-11-15 15:19 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-15 12:34 [dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell Milan Broz
2016-11-15 13:27 ` Arno Wagner
2016-11-15 13:32 ` Sven Eschenberg
2016-11-15 15:18   ` Robert Nichols [this message]
2016-11-15 18:40     ` Sven Eschenberg
2016-11-15 19:19       ` Robert Nichols
2016-11-15 19:42         ` Sven Eschenberg
2016-11-15 22:51           ` Robert Nichols
2016-11-15 23:15           ` Michael Kjörling
2016-11-15 23:28             ` Sven Eschenberg
2016-11-15 23:52               ` Arno Wagner
2016-11-16  0:08                 ` Jonas Meurer
2016-11-16  1:15                   ` Sven Eschenberg
2016-11-16  7:32                     ` Milan Broz
2016-11-16 13:48                       ` Arno Wagner
2016-11-29 14:56                         ` David Niklas
2016-12-07 11:37 ` Jonas Meurer
2016-12-07 13:00   ` Arno Wagner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='o0f90o$h18$1@blaine.gmane.org' \
    --to=rnicholsnospam@comcast.net \
    --cc=dm-crypt@saout.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.