Date: Tue, 15 Nov 2016 01:26:52 +0000 From: Hector Marco-Gisbert <hmarco@...rco.org> To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Re: CVE-2016-4484: - Cryptsetup Initrd root Shell - Update: Dracut is also vulnerable Hello, We have found that systems that use Dracut instead of initramfs are also vulnerables (tested on Fedora 24 x86_64). Regards, Hector Marco & Ismael Ripoll. > Hello All, > > > Affected package ---------------- Cryptsetup <= 2:1 > > > CVE-ID ------ CVE-2016-4484 > > > Description ----------- A vulnerability in Cryptsetup, concretely > in the scripts that unlock the system partition when the partition > is ciphered using LUKS (Linux Unified Key Setup). > > This vulnerability allows to obtain a root initramfs shell on > affected systems. The vulnerability is very reliable because it > doesn't depend on specific systems or configurations. Attackers > can copy, modify or destroy the hard disc as well as set up the > network to exflitrate data. > > In cloud environments it is also possible to remotely exploit this > vulnerability without having "physical access." > > > Full description: ----------------- > http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html > > > > > Regards, Hector Marco & Ismael Ripoll. >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ