Press the Enter Key for 70 Seconds on Linux and You Will Hack It

If you press the Enter Key for 70 or more seconds, entering a blank password for about 93 times, when the Linux system is booting up, the authentication procedures will be bypassed. This vulnerability is present in the Cryptsetup utility of the Linux system and it has been assigned the CVE-2016-4484 identifier. The crack involves the encryption of hard drives via LUKS (Linux Unified Key Setup) and it allows the attacker to open a shell, namely, the initramfs (initial RAM file system) shell, with root privileges. The issue was detected by a lecturer at the University of the West of Scotland Hector Marco and an assistant professor at Polytechnic University of Valencia Ismael Ripoll, and reported at DeepSec conference in Vienna, Austria. As both of the cyber security researchers stated:

This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn’t depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is especially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.

This flaw has been identified in the Debian and Fedora versions of operating systems by Linux, as well as Ubuntu, RHEL (Red Hat Enterprise Linux) and SUSE Linux Enterprise Server, except for the Arch Linux and Solus software. As you can see, almost all Linux distributions are vulnerable, leaving millions of users defenseless. Exploitation of this vulnerability is said to be not possible to be performed remotely:

The attacker needs to have physical access to the machine in order to exploit this flaw. The attack consists of gaining access to the shell after wrong LUKS password has been entered during the boot process. Once shell access is obtained various brute force attacks (both manual and automated) can be carried out. The contents of the drive can also be copied off to do conduct offline brute force attacks on another computer.

However, if the user utilizes Linux-based OS for cloud-based services, the remote attack is possible. The security investigator Hector Marco summarizes the attacks this flaw gives pretense to occur: elevation of privilege, information disclosure and DoS (Denial of Service).

If you are a user of Linux, you should first check whether your system is vulnerable or not. If the shell appears, after you have pressed the Enter Key for about 70 seconds at the LUKS password prompt, you need to check with your Linux distribution support vendor for a patch available. If there isn’t a patch available, append the following command to your boot configuration:

sed -i ‘s/GRUB_CMDLINE_LINUX_DEFAULT=”/GRUB_CMDLINE_LINUX_DEFAULT=”panic=5 /’ /etc/default/grub grub-install

Do not forget to always update the operating system you use to its latest version and choose updates from the official sources, whether you use Linux or any other software.

For more details about the bug click here.

Sources: bleepingcomputer.com, the hackernews.com and theregister.co.uk.