Major Linux security hole found in Cryptsetup script for LUKS disk encryption
A security vulnerability discovered in numerous Linux distros potentially puts millions of users at risk. CVE-2016-4484 (Cryptsetup Initrd root Shell) affects the Cryptsetup script that is used to unlock partitions encrypted with LUKS (Linux Unified Key Setup).
The flaw means that it is possible for a hacker to access, change or delete data on the hard drive, and it is not even necessary to have physical access to exploit the vulnerability in every circumstance. But the worrying thing is just how easy the problem is to exploit.
The problem lies in the way password checking is handled by /scripts/local-top/cryptroot. By doing nothing more than tapping the Enter key during the boot process, the system can be tricked into thinking there is a problematic piece of hardware. When the maximum number of trials for transient hardware faults is reached, the user is dropped into the BusyBox root shell.
Details of the vulnerability were revealed by Hector Marco and Ismael Ripoll, who explain:
This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.
Note that in cloud environments it is also possible to remotely exploit this vulnerability without having physical access.
The good news, however, is that the problem is incredibly simple to fix -- a quick file edit is all it takes. But, of course, such fixes take a while to implement, placing systems at risk until that time.