Bug 19800 - dracut new security issue CVE-2016-4484
Summary: dracut new security issue CVE-2016-4484
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: Mageia 8
Assignee: Mageia tools maintainers
QA Contact: Sec team
Whiteboard: MGA7TOO
Keywords: IN_ERRATA6
Depends on:
Reported: 2016-11-16 17:07 CET by David Walser
Modified: 2020-08-26 11:01 CEST (History)
7 users (show)

See Also:
Source RPM: dracut-044-11.mga6.src.rpm
Status comment: Should be mitigated by the installer


Description David Walser 2016-11-16 17:07:22 CET

So the main point is that the issue can be mitigated by setting a bootloader password, which makes sense, and our installer allows that, but I don't believe that it adds the "rd.shell=0" to the kernel command line when you do that, so perhaps it should.
Comment 1 Florian Hubold 2016-11-20 14:57:42 CET
Although the actual shell script should also be "fixed", an example patch is available via http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

CC: (none) => doktor5000, mageia

Comment 2 David Walser 2016-11-20 15:02:36 CET
That patch only applies to Debian.  Supposedly dracut has something with a similar bug, but it's not the same code.
Comment 3 Nicolas Lécureuil 2017-04-27 13:35:24 CEST
thierry, martin, 

any comment about https://bugzilla.redhat.com/show_bug.cgi?id=1395135#c3 ?

CC: (none) => mageia
Assignee: thierry.vignaud => mageiatools

Comment 4 Dave Hodgins 2017-06-25 03:57:40 CEST
In my opinion, this issue is about user education.

Forcing the use of rd.shell=0 when encrypting the root file system has implications in recovering from things like a power failure leaving the
root file system requiring manual repair. Without testing, I'm not sure
if the failure to mount after decrypting would then prevent booting or not.
As such, adding the option to add rd.shell=0 when choosing to encrypt the
root file system should be considered for a future enhancement.

Adding a grub password is a good recommendation, though it should be entirely
the admin's choice.

Adding a bios/uefi password is beyond the scope of software. It's a good suggestion, where the potential attacker has physical access, though it
doesn't prevent them from physically destroying the hard drive. Same with
the usually related security suggestion to block booting from removable media.

Even though cves have been assigned, I don't consider this to be a security
issue, or worthy of being considered as a potential release blocker.

CC: (none) => davidwhodgins

Comment 5 David Walser 2017-07-07 03:14:46 CEST
An according to the council meeting, user education can start with errata.  Can someone that understands this write an erratum entry for this?

Keywords: (none) => FOR_ERRATA6

David Walser 2017-07-07 04:23:53 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 6 papoteur 2017-07-08 10:23:08 CEST
Added a Security issues section in errata

Boot of system with cyphered partitions - CVE-2016-4484

Failed tries to enter the password of a cyphered partition with LUKS end with a shell. http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

People who want to secure their system have to:

    add a BIOS password
    add a grub password
    add “rd.shell=0” to the kernel command line

CC: (none) => yves.brungard_mageia

papoteur 2017-07-08 10:24:19 CEST


Comment 7 David Walser 2017-12-29 04:17:27 CET
Removing MGA5TOO, since this won't be addressed there.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:37:21 CET

Status comment: (none) => Should be mitigated by the installer
Target Milestone: --- => Mageia 7

David Walser 2019-06-23 19:24:23 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Nicolas Lécureuil 2020-05-22 14:04:01 CEST

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

Nicolas Lécureuil 2020-05-24 00:08:14 CEST

CC: (none) => mageia

David Walser 2020-05-24 00:15:44 CEST

Target Milestone: Mageia 7 => Mageia 8

Comment 8 Nicolas Lécureuil 2020-06-01 17:15:22 CEST
to test this CVE: 

Comment 9 martha welch 2020-08-26 11:01:18 CEST Comment hidden (spam)

CC: (none) => marthawelch1

Note You need to log in before you can comment on or make changes to this bug.