Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to solve Linux high-risk vulnerabilities". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

By pressing enter for 70 seconds, hackers can bypass authentication on linux systems, gain root privileges, and remotely control encrypted linux systems.

Source of loophole

This security problem stems from a vulnerability in Cryptsetup (CVE-2016-4484). Cryptsetup is the software used to encrypt disks in Linux Unified key setup (Linux Unified Key Setup, LUKS), while LUKS is the standard disk encryption in Linux systems.

The flaw actually occurs when Cryptsetup handles password entry errors after the system, which allows users to retry entering passwords multiple times.

When the user enters an error 93 times, the program will give the user a shell (busybox) with root permission.

In other words, if you repeat the wrong password 93 times, or press enter for about 70 seconds, you can get root initramfs (initial RAM filesystem) shell.

After you get the shell, you can copy, modify, or destroy the entire hard drive, or you can use the network to transfer data.

Vulnerabilities can be exploited remotely

Spanish security researchers Hector Marco and Ismael Ripoll discovered this vulnerability, affecting almost all Linux distributions, including Debian, Ubuntu, Fedora, Red Hat Enterprise Linux (RHEL) and SUSE.

The researchers demonstrated the details at this year's DeepSec conference in Vienna, Austria:

"A hacker can obtain root initramfs shell from the affected system. And the success rate of vulnerabilities is very high because he does not rely on a particular system or configuration.

This vulnerability is particularly useful in libraries, ATMs, airports, laboratories, etc., where the boot process is (encrypted) protected and we only have a keyboard / mouse. "

Looking at this, you might think that vulnerabilities can only occur if the attacker has physical contact. But in fact, vulnerabilities can also be triggered remotely. If you are using a linux-based cloud service, you can exploit the vulnerability without physical contact.

How serious is the loophole

It is worth noting that an attacker cannot exploit this vulnerability to obtain the contents of an encrypted disk, but can do the following:

Privilege escalation:

Because boot partitions are generally unencrypted, it is possible for hackers to use SetUID to store an executable file and then use local user execution to elevate rights.

Attackers can also replace kernel and initrd images.

Information disclosure:

Although the attacker cannot read the encrypted disk directly, there is still a lot he can do. For example, he can copy the disk to an external device and then crack it violently.

DoS attack:

Hackers can delete the contents of the disk.

The impact of this vulnerability includes Debian, Ubuntu, Fedora and other Linux distributions. Arch Linux and Solus users are not affected.

Solution

Although the vulnerability can be easily triggered and has a wide range of effects, its fix is also extremely simple:

First, press the enter key at the LUKS password prompt window for 70 seconds to check for vulnerabilities in the system.

If there are vulnerabilities, check to see if the Linux you are using has been patched.

If the official patch has not been released, you can modify the cryptroot file yourself:

This is the end of the content of "how to solve Linux High-risk vulnerabilities". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.