edit-icon download-icon

[Vulnerability notice] CVE-2016-4484: Cryptsetup Initram root shell

Last Updated: Mar 19, 2018

On November 11, 2016, Hector Marco, a lecturer at the University of the West of Scotland, and Ismael Ripoll, assistant professor at the Technical University of Valencia, found a high-risk vulnerability (CVE-2016-4484) in Linux, which allows an attacker to obtain a root initramfs shell by pressing and holding the Enter key for 70 seconds, thus damaging the Linux boxes.

Follow up information about this vulnerability to guarantee your business security on Alibaba Cloud.

See the following for more information about the vulnerability.


CVE identifier

CVE-2016-4484

Vulnerability name

Cryptsetup initrd root shell

Vulnerability rating

High

Vulnerability description

This vulnerability exists in the Linux Unified Key Setup (LUKS) of popular Linux variants. An attacker can decrypt a Linux machine by accessing the shell, regardless of specific systems or configurations. This attack also applies to cloud-based virtual Linux boxes.

This vulnerability allows an attacker to obtain the highest level of permissions in the server, causing data leakage.

Condition and method of exploitation

If the file system in the operating system is encrypted, an attacker can exploit this vulnerability by initiating a keyboard action.

Affected scope

Cryptsetup in Ubuntu, Fedora, and Debian Linux operating systems with an encrypted file system.

By default, the file systems in Alibaba Cloud ECS instances are not encrypted, and no keyboard action can be triggered directly in a physical way. Therefore, ECS instances are not affected by this vulnerability.

Vulnerability detection

Run the following command to obtain the name of the encrypted partition. If the command output shows no encrypted partition, you are not affected by this vulnerability.

  1. $ blkid
  2. /dev/sda1: UUID="db96cdf9-99c3-4239-95f2-6af2651ef3ac" TYPE="ext2"
  3. /dev/sda5: UUID="d491bf52-a9ea-466f-be9b-3a5df954699e" TYPE="crypto_LUKS"
  4. /dev/mapper/sda5_crypt: UUID="30xz0y-4LeG-LwuL-QHI9-pWWi-BxHf-F3udoC" TYPE="LVM2_member"
  5. /dev/mapper/lubuntu--vg-root: UUID="53f95bd1-9e1c-4e23-9ff3-990d90c5cc92" TYPE="ext4"
  6. /dev/mapper/lubuntu--vg-swap_1: UUID="9eac532c-1b54-4cac-9995-b4b921222422" TYPE="swap"
  7. /dev/zram0: UUID="c2929c6e-2432-40ee-99a5-deadbeefa53e" TYPE="swap"
  8. /dev/zram1: UUID="d1bf1e22-dead-beef-9c49-e6462449d6e2" TYPE="swap"
  9. /dev/zram2: UUID="12a9232d-c62e-0df6-93ea-22ac3600bdf0" TYPE="swap"
  10. /dev/zram3: UUID="bf777ad3-13fc-4ad5-914b-002e67262939" TYPE="swap"

Alternatively, you can use the automatic detection function of Alibaba Cloud Security Server Guard to check for any impact.

How to fix or mitigate

Add the following content to the boot configuration as a temporary protective measure.

  1. # sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub
  2. # grub-install

Note: Back up snapshots and data before the operation.

Reference

[1]. http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

Thank you! We've received your feedback.