Attackers with a little more than a minute to spare can get their foot in the door on Linux boxes by holding down the Enter key for 70 seconds – an act that gifts them a root
The simple exploit, which requires physical access to the system, exists due to a bug in the Linux Unified Key Setup (LUKS) used in popular variations of Linux. With access to an
initramfs environment shell, an attacker could then attempt to decrypt the encrypted filesystem by brute-force. The attack also potentially works on virtual Linux boxen in clouds.
Debian and Fedora are confirmed as suffering from this problem.
The problem was identified by Hector Marco, a lecturer at the University of the West of Scotland, together with Polytechnic University of Valencia assistant professor Ismael Ripoll. The pair say the problem does not require particular system configuration and offer the following analysis of the flaw:
This vulnerability allows to obtain a root
initramfsshell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations.
Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is especially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.
The "very reliable" exploit has been patched and a workaround developed that shutters the hack, according to Marco and Ripoll. Red Hat has rated the programming blunder (CVE-2016-4484) as "moderate", noting:
The attacker needs to have physical access to the machine in order to exploit this flaw. The attack consists of gaining access to the shell after wrong LUKS password has been entered during the boot process. Once shell access is obtained various brute force attacks (both manual and automated) can be carried out. The contents of the drive can also be copied off to do conduct offline brute force attacks on another computer.
Essentially, this is perfect for someone who has stolen or seized your machine, or wants to cause criminal mischief on computers in public spaces. ®