Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
641
VMScore

CVE-2016-4484

Published: 23/01/2017 Updated: 26/01/2017
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 6.8 | Impact Score: 5.9 | Exploitability Score: 0.9
VMScore: 641
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Cryptsetup Project

Vulnerability Summary

The Debian initrd script for the cryptsetup package 2:1.7.3-2 and previous versions allows physically proximate malicious users to gain shell access via many log in attempts with an invalid password.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

cryptsetup project cryptsetup

Vendor Advisories

Red Hat: CVE-2016-4484
A password-check vulnerability was found in the way initramfs, generated by dracut, handles the decryption of LUKS-encrypted data partitions An attacker having physical access to the machine or access to the boot console may be able to brute-force the LUKS password using the dracut shell, and may be able to copy off the encrypted partition for an ...
Arch Linux Issues:
A vulnerability in cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup) was found The fault is caused by an incorrect handling of the password check in the script file /scripts/local-top/cryptroot This vulnerability allows to obtain a root initramfs shell on aff ...

Github Repositories

https://github.com/Zidmann/Documentation-LUKS

Documentation LUKS By Zidmann 🙇 Global presentation The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux While most disk encryption software implements different, incompatible, and undocumented formats, LUKS implements a platform-independent standard on-disk format for use in variou

Recent Articles

Gone in 70 seconds: Holding Enter key can smash through defense
The Register • Team Register • 16 Nov 2016

Bad LUKS strikes Pengiunistas

Attackers with a little more than a minute to spare can get their foot in the door on Linux boxes by holding down the Enter key for 70 seconds – an act that gifts them a root initramfs shell. The simple exploit, which requires physical access to the system, exists due to a bug in the Linux Unified Key Setup (LUKS) used in popular variations of Linux. With access to an initramfs environment shell, an attacker could then attempt to decrypt the encrypted filesystem by brute-force. The attack also...

Read more...

References

CWE-287https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cbhttp://www.openwall.com/lists/oss-security/2016/11/16/6http://www.openwall.com/lists/oss-security/2016/11/15/4http://www.openwall.com/lists/oss-security/2016/11/15/1http://www.openwall.com/lists/oss-security/2016/11/14/13http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.htmlhttp://www.securityfocus.com/bid/94315https://nvd.nist.govhttps://github.com/Zidmann/Documentation-LUKShttps://www.theregister.co.uk/2016/11/16/want_to_pop_linux_shell_hole_enter_for_a_minute/https://access.redhat.com/security/cve/cve-2016-4484
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook