You’re using Linux Disk Encryption? Can be bypassed by pressing ‘ENTER’ for 70 seconds!

A really dumb bug, but with a really simple fix!

A vulnerability in Cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems.

The security issue was discovered by the security researcher Hector Marco and relies to a vulnerability (CVE-2016–4484) in the implementation of the Cryptsetup utility used for encrypting hard drives via Linux Unified Key Setup (LUKS, the standard implementation of disk encryption on a Linux-based operating system).

The Cryptsetup utility has a strange way to handle password failures for the decryption process when a system boots up, permitting a user retry the password multiple times.

When a user reach 93 password attempts, it is dropped to a shell that has root privileges.

In other words, if you enter a blank password 93 times — or simply hold down the ‘Enter’ key for roughly 70 seconds — you will gain access to a root initramfs shell.

I can fix it?

If your distribution is vulnerable and a patch is not yet available, the vulnerability can be fixed by modifying grub configuration, adding the “panic” parameter to the kernel in order to prevent a shell:

# sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub
# grub-install

More technical information on Hector Marco’s website


This site uses Akismet to reduce spam. Learn how your comment data is processed.