From: Robert Nichols <rnicholsNOSPAM@comcast.net>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell
Date: Tue, 15 Nov 2016 09:18:51 -0600 [thread overview]
Message-ID: <o0f90o$h18$1@blaine.gmane.org> (raw)
In-Reply-To: <ed9a2d2d-c90c-d6ed-9b2d-ac45e5bd5713@whgl.uni-frankfurt.de>
On 11/15/2016 07:32 AM, Sven Eschenberg wrote:
> Obviously it is not a bug in cryptsetup, but rather in dracut and some
> distributions initrd scripts. What's really annoying about the CVE is
> the fact, that it is mostly irrelevant. If I can get to the password
> entry of an initrd, I obviously have control over the boot process. If I
> do have control over the boot process I have a splendid variety of
> options to do all the things described in the CVE.
>
> I wonder why the authors of the CVE recommend to freeze the system,
> instead of adding auth to get a shell. Seems quite stupid to completely
> remove the ability to investigate problems.
The boot process can be configured to deny that control (BIOS configured
to boot from the internal drive only, GRUB set up to require a password
for all except the default selection).
On a Red Hat system with an encrypted root filesystem, I get 5 attempts
to enter the encryption password. Then the system locks up, and the only
options are to (a) press <ESC> to dismiss the graphical boot screen and
see a "wrong password" message, and/or (b) press CTRL-ALT-DEL to reboot.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
next prev parent reply other threads:[~2016-11-15 15:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-15 12:34 [dm-crypt] About CVE-2016-4484: - Cryptsetup Initrd root Shell Milan Broz
2016-11-15 13:27 ` Arno Wagner
2016-11-15 13:32 ` Sven Eschenberg
2016-11-15 15:18 ` Robert Nichols [this message]
2016-11-15 18:40 ` Sven Eschenberg
2016-11-15 19:19 ` Robert Nichols
2016-11-15 19:42 ` Sven Eschenberg
2016-11-15 22:51 ` Robert Nichols
2016-11-15 23:15 ` Michael Kjörling
2016-11-15 23:28 ` Sven Eschenberg
2016-11-15 23:52 ` Arno Wagner
2016-11-16 0:08 ` Jonas Meurer
2016-11-16 1:15 ` Sven Eschenberg
2016-11-16 7:32 ` Milan Broz
2016-11-16 13:48 ` Arno Wagner
2016-11-29 14:56 ` David Niklas
2016-12-07 11:37 ` Jonas Meurer
2016-12-07 13:00 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='o0f90o$h18$1@blaine.gmane.org' \
--to=rnicholsnospam@comcast.net \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox