Ubuntu crypto file system vulnerability not patched?
Oliver Grawert
ogra at ubuntu.com
Thu Nov 17 14:03:13 UTC 2016
hi,
On Do, 2016-11-17 at 10:03 +0100, Gilles Gravier wrote:
> Hi!
>
> Running the latest Ubuntu 16.10 (Ubuntu Gnome). I came across this :
> http://thehackernews.com/2016/11/hacking-linux-system.html
>
> I tried. Vulnerability is present!
>
> Meaning anybody can put a patched kernel / initrd image and
> compromise my machine at next boot...
>
yes, this is a vulnerability but i suspect the real world scenarios
where you have systems in public places (libraries etc) using rootfs
encryption (i.e. some employee will have to go there and type in the
password once the system is rebooted) are actually rather rare ...
to access any data on your machine (i.e. a laptop you leave laying
around unattended at a conference) the attacker would still need your
pass phrase to unlock the disk ...
indeed there is the risk that someone could potentially replace your
kernel or initrd ... here secure boot would help, enable it if you
need. the bootloader would then notice a replaced kernel or initrd
(since they are not signed with the ubuntu archive key) ... beyond
this, the necessary fixes are in the works and will land ASAP in
${release}-security for all supported releases ...
note that this only affects systems where you have a BIOS and a grub
password (without either you can always boot with init=/bin/sh or
break=premount or some such commandline arg to achieve exactly the same
level of access) *and* rootfs encryption (if you use home encryption
this is only unlocked from the login manager later anyway, so this bug
wouldnt help any attacker)...
imho the drama the media makes out of it is worse than the actual issue
...
you can watch the CVE at [1] to see when an update is due.
ciao
oli
[1] https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-448
4.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20161117/0166204b/attachment.sig>
More information about the ubuntu-users
mailing list