cryptsetup vulnerability

Here wizards, magicians, sorcerers and everybody can rest a bit and talk about anything they like.

Just remember to respect the rules.

cryptsetup vulnerability

Postby jiml8 » Nov 17th, '16, 19:49

If you have encrypted your system partition, you have an unexpected and potentially serious vulnerability in your system.

http://hmarco.org/bugs/CVE-2016-4484/CV ... l.html#fix

Curiously enough, the system partition is the only partition on my system that is NOT encrypted: I consider disaster recovery to be too difficult if it is encrypted. To avoid information leakage, I symlink those things that are sensitive (such as all of /var and /tmp) to other volumes that are encrypted.
jiml8
 
Posts: 1253
Joined: Jul 7th, '13, 18:09

Re: cryptsetup vulnerability

Postby doktor5000 » Nov 19th, '16, 16:41

Just for reference, as that vulnerability is reported against the debian cryptsetup package, did you check whether an mga5 or mga6 system is affected the same way? Or if RHEL/CentOS or derivates are affected, as that would be more close to our initscripts.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: cryptsetup vulnerability

Postby jiml8 » Nov 19th, '16, 18:56

The article says it has been verified against distros that use dracut, including Fedora.

I would have to put together a system specifically to test this. I don't have the time.
jiml8
 
Posts: 1253
Joined: Jul 7th, '13, 18:09

Re: cryptsetup vulnerability

Postby doktor5000 » Nov 20th, '16, 15:54

Ahh, in the fine print for the update:

Other systems affected by a similar (or the same) issue

Systems that use Dracut instead of initramfs are also vulnerable. (tested on Fedora 24 x86_64). Note that if the grub password is setted at installation time on Fedora the rd.shell is set to zero preventing this attack. Thanks to Lubomir for reporting this.

So using a grub password would also prevent this attack, until an update is available from the Mageia repositories.
One can follow up using the bugreport for this issue: https://bugs.mageia.org/show_bug.cgi?id=19800
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany


Return to The Wizards Lair

Who is online

Users browsing this forum: No registered users and 1 guest

cron