Image: Jack Wallen
Linux enjoys a level of security that most platforms cannot touch. That does not, in any way, mean it is perfect. In fact, over the last couple of years a number of really ugly vulnerabilities have been found — and very quickly patched. Enough time has passed since Heartbleed for those that do to find yet another security issue.
And this one’s a doozy.
This particular vulnerability, found in Cryptsetup, was first reported by CyberSecurity UVP Research Group. The issue centers on the scripts charged with unlocking a LUKS-encrypted system partition.
Is your system vulnerable?
If your distribution of choice is Debian or Ubuntu, and you have encrypted the system partition, then, yes, your system is vulnerable.
What does this vulnerability do?
Effectively this vulnerability gives access to the initial RAM filesystem (initramfs) to an attacker. Once the attacker has access to initramfs, they can then copy, modify, or destroy your disk or use that machine to steal data from your network.
To compound this matter, all an attacker needs to do (to gain access to the vulnerability) is this:
- Boot the system
- Press and hold the Enter key
- Wait for about ninety seconds
That’s it. A Busybox shell will appear, giving the attacker the keys to your encrypted kingdom.
How do you fix this?
Before I hand you the band aid for this issue, know that by the time you read this, the fix might already be in place. Linux vulnerabilities get patched very quickly.
On the off-chance that is not the case here, you must stop the boot sequence when the number of password guesses exceeds the limit. To do this, we use the panic function such that shell access cannot be gained.
That temporary fix is handled within the /etc/default/grub file. To take care of this, follow these steps:
Open up a terminal window and issue the command:
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub
Once the command runs, you must reinstall GRUB. To do that, we must first know exactly where the boot loader is installed. Chances are it can be found on /dev/sda. To verify that, issue the command (exactly as you see, as the dd command can be very dangerous to your system):
sudo dd bs=512 count=1 if=/dev/sda 2>/dev/null | strings
You should see output like:
ZRr= `|f |f1 GRUB Geom Hard Disk Read Error
If you see GRUB, then you know the boot loader is located in /dev/sda. Now reinstall GRUB with the command sudo grub-install /dev/sda.
That’s it, the vulnerability should be temporarily “fixed.”
The official patch
I have no doubt the official fix for this will come soon enough. Just keep checking for updates and make sure you apply them. Most Linux vulnerabilities are patched within a few days of discovery. If you’re not concerned about users gaining physical access to your systems, you could hold off until the official patch arrives. If you’re unsure, go ahead and use this temporary fix. For more information about this issue, make sure to read CVE-2016-4484: Cryptsetup Initrd root Shell.