BugTraq
CVE-2016-4484: - Cryptsetup Initrd root Shell Nov 14 2016 08:45PM
Hector Marco (hmarco hmarco org) (1 replies)
Hello All,

Affected package
----------------
Cryptsetup <= 2:1

CVE-ID
------
CVE-2016-4484

Description
-----------
A vulnerability in Cryptsetup, concretely in the scripts that unlock the
system partition when the partition is ciphered using LUKS (Linux
Unified Key Setup).

This vulnerability allows to obtain a root initramfs shell on affected
systems. The vulnerability is very reliable because it doesn't depend on
specific systems or configurations. Attackers can copy, modify or
destroy the hard disc as well as set up the network to exflitrate data.

In cloud environments it is also possible to remotely exploit this
vulnerability without having "physical access."

Full description:
-----------------
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_she
ll.html

Regards,
Hector Marco & Ismael Ripoll.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYKiJ/AAoJEPjdiC0+ZMlG5e4P/0bZtixZEJS5mOwBWZ+PVWjf
Dk4vKH43nOxGRDAqBSsCadzvUWLu+g1ZJtThfY+Iki9dewGEeT0mdZTcXWkg/ILz
JIcObtrEr6EeQV87mcreNAmYBf4OTlxVbePC9AGI5OsYbkYgg+2DfeNOyq0ref3D
96I+2WLjFv5qXoqRB6gY0S0qETcZsm7J866Yuihl00PMjz+j2+rsxffI4WRafn0O
lkYKL3KO3slE4t+WgyYy4nY2mIuh5csifiqVwzcm7LawSTlUpTjoutswFXp0jKyj
W1Vpx0clYSZ0dEj/Ob2aYSF8167RD8KlsqN77IFPJNfW7gX7bYJUz6T9X/RWK2Jz
jb2xEH/0YMbbkwkzNM0TYkO/CLT86AQL5tOXfl7TBx4OgZe8pkXp+NcCK9sW9Jrz
0j1bfXc8LBQJsWYpyEYzCxz455v9mJaNAyGxLmWuSX7i+smNT3q6ZzL0+oOo9Nyl
1+maWcdEx6EaZLl6doPRpErVyM25XHoiKjj336d/DyC93v5e7fBkbkWgDc/3aNju
z9KWGOuMZNu8fjkRA2S5dRpvuB6llXYEb0Bzw9iOMjAW7AVGxNcaWJ/3BtI8VdSI
KvUTS9nAw4wEF9hN9uA3UVKT04mDEXUQ7MMrG6xJ6GBLX+Knm99hRihVbdWkY4Ca
JEpiM8WleT3OOg9YeLi8
=miOW
-----END PGP SIGNATURE-----

[ reply ]
Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell Nov 15 2016 03:27AM
Leo Famulari (leo famulari name)


 

Privacy Statement
Copyright 2010, SecurityFocus