Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CVE-2016-4484 Hold down the Enter key for 70 sec to gain a Linux Root shell

The CVE-2016-4484 vulnerability can be exploited to gain a Linux Root shell by simply pressing the Enter Key for 70 Seconds. It could be quite easy to bypass the authentication procedures on some Linux systems just by holding down the Enter key for around 70 seconds. In this way, it is possible to open a shell […]

CVE-2016-4484 Hold down the Enter key for 70 sec to gain a Linux Root shell

The CVE-2016-4484 vulnerability can be exploited to gain a Linux Root shell by simply pressing the Enter Key for 70 Seconds.

It could be quite easy to bypass the authentication procedures on some Linux systems just by holding down the Enter key for around 70 seconds. In this way, it is possible to open a shell with root privileges and gain complete remote control over encrypted Linux machine.The problem is related to a security vulnerability, tracked as CVE-2016-4484, in the implementation of the Cryptsetup utility.

The CVE-2016-4484 was discovered by the Spanish security researchers Hector Marco and Ismael Ripoll. The principal Linux distributions, including Debian, Ubuntu, Fedora, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise Server (SLES) are vulnerable. Millions of users are at risk.

“A vulnerability in Cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup). The disclosure of this vulnerability was presented as part of our talk “Abusing LUKS to Hack the System” in the DeepSec 2016 security conference, Vienna.” Wrote the researchers in a security advisory.

“This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it does not depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is especially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.”

The Cryptsetup is a utility used to conveniently setup disk encryption based on the DMCrypt kernel module.These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt (including VeraCrypt extension) format.

The bug affects the way the Cryptsetup utility handles decryption password process when a system boots up, which lets a user retry the password multiple times.

Even if the user has exhausted all 93 password attempts, the user displays a shell that has root privileges.

Simply holding down the Enter key for more or less 70 seconds user will gain access to a root initial RAM file system (aka initramfs) shell that gives him full access to local file system and could be exploited to exfiltrate data via the network. The bad news is that the flaw is also remotely exploitable by attackers, this is the case of cloud-based services running on Linux that could be targeted without having ‘physical access.’

The experts highlighted the fact that anyway the attacker is not able to access to to the contents of the encrypted drive.

Below the list of operations allowed to the attacker:

  • Elevation of privilege: Since the boot partition is typically not encrypted:
    • It can be used to store an executable file with the bit SetUID enabled. Which can later be used to escalate privileges by a local user.
    • If the boot is not secured, then it would be possible to replace the kernel and the initrd image.
  • Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.
  • Denial of service: The attacker can delete the information on all the disks.

In order to fix the problem, you need to check for the availability of a patch. In case there is no patch, the problem could be solved by modifying the cryptroot file to limit the number of password attempts and stop the boot sequence when this number is reached.

CVE-2016-4484 cryptsetup-manual-fix

You can add the following commands to your boot configuration:

sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub grub-install

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2016-4484, Linux)