Bug 19800 - dracut new security issue CVE-2016-4484
Summary: dracut new security issue CVE-2016-4484
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: Mageia 7
Assignee: Mageia tools maintainers
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO
Keywords: IN_ERRATA6
Depends on:
Blocks:
 
Reported: 2016-11-16 17:07 CET by David Walser
Modified: 2018-02-02 18:37 CET (History)
5 users (show)

See Also:
Source RPM: dracut-044-11.mga6.src.rpm
CVE:
Status comment: Should be mitigated by the installer


Attachments

Description David Walser 2016-11-16 17:07:22 CET
See:
https://bugzilla.redhat.com/show_bug.cgi?id=1395135
http://openwall.com/lists/oss-security/2016/11/15/1
https://harald.hoyer.xyz/2016/11/15/dracut-and-cve-2016-4484-cryptsetup-initrd-root-shell/

So the main point is that the issue can be mitigated by setting a bootloader password, which makes sense, and our installer allows that, but I don't believe that it adds the "rd.shell=0" to the kernel command line when you do that, so perhaps it should.
Comment 1 Florian Hubold 2016-11-20 14:57:42 CET
Although the actual shell script should also be "fixed", an example patch is available via http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

CC: (none) => doktor5000, mageia

Comment 2 David Walser 2016-11-20 15:02:36 CET
That patch only applies to Debian.  Supposedly dracut has something with a similar bug, but it's not the same code.
Comment 3 Nicolas Lécureuil 2017-04-27 13:35:24 CEST
thierry, martin, 

any comment about https://bugzilla.redhat.com/show_bug.cgi?id=1395135#c3 ?

Assignee: thierry.vignaud => mageiatools
CC: (none) => mageia

Comment 4 Dave Hodgins 2017-06-25 03:57:40 CEST
In my opinion, this issue is about user education.

Forcing the use of rd.shell=0 when encrypting the root file system has implications in recovering from things like a power failure leaving the
root file system requiring manual repair. Without testing, I'm not sure
if the failure to mount after decrypting would then prevent booting or not.
As such, adding the option to add rd.shell=0 when choosing to encrypt the
root file system should be considered for a future enhancement.

Adding a grub password is a good recommendation, though it should be entirely
the admin's choice.

Adding a bios/uefi password is beyond the scope of software. It's a good suggestion, where the potential attacker has physical access, though it
doesn't prevent them from physically destroying the hard drive. Same with
the usually related security suggestion to block booting from removable media.

Even though cves have been assigned, I don't consider this to be a security
issue, or worthy of being considered as a potential release blocker.

CC: (none) => davidwhodgins

Comment 5 David Walser 2017-07-07 03:14:46 CEST
An according to the council meeting, user education can start with errata.  Can someone that understands this write an erratum entry for this?

Keywords: (none) => FOR_ERRATA6

David Walser 2017-07-07 04:23:53 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 6 papoteur 2017-07-08 10:23:08 CEST
Added a Security issues section in errata
https://wiki.mageia.org/en/Mageia_6_Errata#Security_issues

Boot of system with cyphered partitions - CVE-2016-4484

Failed tries to enter the password of a cyphered partition with LUKS end with a shell. http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

People who want to secure their system have to:

    add a BIOS password
    add a grub password
    add “rd.shell=0” to the kernel command line

CC: (none) => yves.brungard_mageia

papoteur 2017-07-08 10:24:19 CEST

Keywords: FOR_ERRATA6 => IN_ERRATA6

Comment 7 David Walser 2017-12-29 04:17:27 CET
Removing MGA5TOO, since this won't be addressed there.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:37:21 CET

Target Milestone: --- => Mageia 7
Status comment: (none) => Should be mitigated by the installer


Note You need to log in before you can comment on or make changes to this bug.