CVE-2016-4484 Hold down the Enter key for 70 sec to gain a Linux Root shell

Pierluigi Paganini November 16, 2016

The CVE-2016-4484 vulnerability can be exploited to gain a Linux Root shell by simply pressing the Enter Key for 70 Seconds.

It could be quite easy to bypass the authentication procedures on some Linux systems just by holding down the Enter key for around 70 seconds. In this way, it is possible to open a shell with root privileges and gain complete remote control over encrypted Linux machine.The problem is related to a security vulnerability, tracked as CVE-2016-4484, in the implementation of the Cryptsetup utility.

The CVE-2016-4484 was discovered by the Spanish security researchers Hector Marco and Ismael Ripoll. The principal Linux distributions, including Debian, Ubuntu, Fedora, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise Server (SLES) are vulnerable. Millions of users are at risk.

“A vulnerability in Cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup). The disclosure of this vulnerability was presented as part of our talk “Abusing LUKS to Hack the System” in the DeepSec 2016 security conference, Vienna.” Wrote the researchers in a security advisory.

“This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it does not depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is especially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.”

The Cryptsetup is a utility used to conveniently setup disk encryption based on the DMCrypt kernel module.These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt (including VeraCrypt extension) format.

The bug affects the way the Cryptsetup utility handles decryption password process when a system boots up, which lets a user retry the password multiple times.

Even if the user has exhausted all 93 password attempts, the user displays a shell that has root privileges.

Simply holding down the Enter key for more or less 70 seconds user will gain access to a root initial RAM file system (aka initramfs) shell that gives him full access to local file system and could be exploited to exfiltrate data via the network. The bad news is that the flaw is also remotely exploitable by attackers, this is the case of cloud-based services running on Linux that could be targeted without having ‘physical access.’

The experts highlighted the fact that anyway the attacker is not able to access to to the contents of the encrypted drive.

Below the list of operations allowed to the attacker:

  • Elevation of privilege: Since the boot partition is typically not encrypted:
    • It can be used to store an executable file with the bit SetUID enabled. Which can later be used to escalate privileges by a local user.
    • If the boot is not secured, then it would be possible to replace the kernel and the initrd image.
  • Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.
  • Denial of service: The attacker can delete the information on all the disks.

In order to fix the problem, you need to check for the availability of a patch. In case there is no patch, the problem could be solved by modifying the cryptroot file to limit the number of password attempts and stop the boot sequence when this number is reached.

CVE-2016-4484 cryptsetup-manual-fix

You can add the following commands to your boot configuration:

sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub grub-install

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2016-4484, Linux)


you might also like

leave a comment