Researchers from the Polytechnic University of Valencia have discovered a critical flaw that can allow attackers – both local and remote – to obtain root shell on affected Linux systems.
So far, they confirmed that the vulnerability (CVE-2016-4484) is present and can be exploited on Debian, Ubuntu and Fedora, but it’s possible that many derived distributions also feature it.
According to researchers Hector Marco and Ismael Ripoll, the vulnerability is found in the default configuration of Cryptsetup, which is used in those systems to set up cryptographic volumes. More particularly, it arises from how these operating systems implement the LUKS (Linux Unified Key Setup) standard for hard disk encryption.
“Just to avoid confusion, the bug is on the scripts (initramfs) and not in the cryptsetup encryption/decryption algorithms,” they added.
“The vulnerability is very reliable because it doesn’t depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exflitrate data,” they explained.
“This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse Note that in cloud environments it is also possible to remotely exploit this vulnerability without having ‘physical access.'”
It’s ironic that the vulnerability crops up only if you have encrypted the system partition when installing the OS or have done it afterwards.
It’s also amazing that an attacker with access to the vulnerable system can gain root shell by simply rebooting the computer, then pressing and keeping pressed the [Enter] key when they are prompted for the password for unlocking the system partition. The shell will appear after 70 seconds or so.
From there, the attacker can access all partitions that are not encrypted, and do stuff like access information stored on all disks, delete it or modify it, insert executable files in the boot partition (usually not encrypted), and more.
The good news is that the flaw can be easily fixed by editing the cryptroot file (located in /scripts/local-top/cryptroot). The fix and a workaround can be found here.
The researchers noted that the bug was likely introduced by the addition of new security features.
“It is well known that ‘Complexity is the worst enemy of security’. A system with more features requires more code and has more interactions between sub-systems, which results in harder to test systems and so more bugs,” they pointed out.
“Security is a non-functional requirement which must be analyzed globally. In this case, the ‘recovery’ actions taken in the case of system errors should be revised and updated to match the security requirements.”