On November 11, 2016, Hector Marco, a lecturer at the University of the West of Scotland, and Ismael Ripoll, assistant professor at the Technical University of Valencia, found a high-risk vulnerability (CVE-2016-4484) in Linux, which allows an attacker to obtain a root initramfs shell by pressing and holding the Enter key for 70 seconds, thus damaging the Linux boxes.
Follow up information about this vulnerability to guarantee your business security on Alibaba Cloud.
See the following for more information about the vulnerability.
Cryptsetup initrd root shell
This vulnerability exists in the Linux Unified Key Setup (LUKS) of popular Linux variants. An attacker can decrypt a Linux machine by accessing the shell, regardless of specific systems or configurations. This attack also applies to cloud-based virtual Linux boxes.
This vulnerability allows an attacker to obtain the highest level of permissions in the server, causing data leakage.
Condition and method of exploitation
If the file system in the operating system is encrypted, an attacker can exploit this vulnerability by initiating a keyboard action.
Cryptsetup in Ubuntu, Fedora, and Debian Linux operating systems with an encrypted file system.
By default, the file systems in Alibaba Cloud ECS instances are not encrypted, and no keyboard action can be triggered directly in a physical way. Therefore, ECS instances are not affected by this vulnerability.
Run the following command to obtain the name of the encrypted partition. If the command output shows no encrypted partition, you are not affected by this vulnerability.
/dev/sda1: UUID="db96cdf9-99c3-4239-95f2-6af2651ef3ac" TYPE="ext2"
/dev/sda5: UUID="d491bf52-a9ea-466f-be9b-3a5df954699e" TYPE="crypto_LUKS"
/dev/mapper/sda5_crypt: UUID="30xz0y-4LeG-LwuL-QHI9-pWWi-BxHf-F3udoC" TYPE="LVM2_member"
/dev/mapper/lubuntu--vg-root: UUID="53f95bd1-9e1c-4e23-9ff3-990d90c5cc92" TYPE="ext4"
/dev/mapper/lubuntu--vg-swap_1: UUID="9eac532c-1b54-4cac-9995-b4b921222422" TYPE="swap"
/dev/zram0: UUID="c2929c6e-2432-40ee-99a5-deadbeefa53e" TYPE="swap"
/dev/zram1: UUID="d1bf1e22-dead-beef-9c49-e6462449d6e2" TYPE="swap"
/dev/zram2: UUID="12a9232d-c62e-0df6-93ea-22ac3600bdf0" TYPE="swap"
/dev/zram3: UUID="bf777ad3-13fc-4ad5-914b-002e67262939" TYPE="swap"
Alternatively, you can use the automatic detection function of Alibaba Cloud Security Server Guard to check for any impact.
How to fix or mitigate
Add the following content to the boot configuration as a temporary protective measure.
# sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub
Note: Back up snapshots and data before the operation.