From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <doark@mail.com>
Received: from mout.gmx.com (mout.gmx.com [74.208.4.200])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Wed, 30 Nov 2016 05:16:20 +0100 (CET)
Received: from ulgy_thing ([174.228.134.51]) by mail.gmx.com (mrgmxus001
 [74.208.5.15]) with ESMTPSA (Nemesis) id 0LdHvD-1ccmbv0Zfd-00iSrs for
 <dm-crypt@saout.de>; Wed, 30 Nov 2016 05:11:10 +0100
Date: Tue, 29 Nov 2016 09:56:28 -0500
From: David Niklas <doark@mail.com>
Message-ID: <20161129095628.145ec2ac@ulgy_thing>
In-Reply-To: <20161116134826.GD17781@tansi.org>
References: <o0f90o$h18$1@blaine.gmane.org>
 <d08b0712-76bc-f265-939f-9f920aaedb72@whgl.uni-frankfurt.de>
 <o0fn3r$c6h$1@blaine.gmane.org>
 <2aa32b7a-8aa4-bd7a-c6f0-eaef3794e8e8@whgl.uni-frankfurt.de>
 <20161115231546.GN19581@yeono.kjorling.se>
 <10ad5d6f-faf4-e71e-d528-67054db1f4ae@whgl.uni-frankfurt.de>
 <20161115235254.GA13171@tansi.org>
 <70a8f691-e02e-c2c9-b206-0e2bc028e113@freesources.org>
 <f8571e1b-1d01-bc87-496f-2878f6a26e74@whgl.uni-frankfurt.de>
 <d7954649-46b2-c114-9785-bd539ef3a2eb@gmail.com>
 <20161116134826.GD17781@tansi.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Wed, 16 Nov 2016 14:48:27
Arno Wagner <arno@wagner.name> wrote:
> On Wed, Nov 16, 2016 at 08:32:12 CET, Milan Broz wrote:
> > On 11/16/2016 02:15 AM, Sven Eschenberg wrote:
> > ...  
> > > 
> > > There's a whole bunch of headlines among these lines. I've read
> > > that cryptsetup has a vulnerability exposing a root-shell on an
> > > encrypted system. Not quite so.  
> > 
> > Yes, this is the real "contribution" of reporting a bug with
> > (possibly even unrelated) project name in headlines.
> > 
> > But seems users themselves correct some stupid article comments,
> > thanks for it! ;-)
> > 
> > Sometimes I wish security is less theater and more responsibility...
> > (This bug cost me hours of explanation that upstream has nothing to
> > fix and that in fact the cryptsetup/LUKS worked as designed.)  
> 
> Tell me about it. I have these discussions regularly as a 
> security consultant, simply because a lack of understanding
> on customer side and attribution of errors by keyword-matching
> instead. 
> 
> I think I will add a new section to the FAQ dealing with initrd
> issues. 
> Contens: 
> 1) No, the initrd is _not_ part of cryptsetup, it is your
>    distro that screwed up if it is broken or insecure.
> 2) If you depend on the initrd doing something seucrely,
>    roll your own and lock that down.
> 3) (Maybe an example...)
> 
> Regards,
> Arno
> 

Personally, I've know about this for years (because I could not
remember my password one day), and I thought it was helpful to be able to
drop to a shell when cryptsetup does not return 0.
Great debugging aide if you wrote something wrong in the intrid.

Besides, if I was truly an evil attacker with physical access, surly I
could come up with a better attack then this one (Change out the
cpu/CMOS/BIOS with an evil one! No more TPE! No more Intel TxT! No more
*secure* hardware crypto devices! Etc.!!!).

Sincerely,
David