Bug 19800 - dracut new security issue CVE-2016-4484
Summary: dracut new security issue CVE-2016-4484
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal major
Target Milestone: Mageia 10
Assignee: Mageia tools maintainers
QA Contact: Sec team
URL:
Whiteboard: MGA9TOO
Keywords: IN_ERRATA6, IN_ERRATA7, IN_ERRATA8, IN_ERRATA9
Depends on:
Blocks:
 
Reported: 2016-11-16 17:07 CET by David Walser
Modified: 2024-06-15 13:57 CEST (History)
12 users (show)

See Also:
Source RPM: dracut-051-4.mga8.src.rpm
CVE:
Status comment: Should be mitigated by the installer


Attachments

Description David Walser 2016-11-16 17:07:22 CET
See:
https://bugzilla.redhat.com/show_bug.cgi?id=1395135
http://openwall.com/lists/oss-security/2016/11/15/1
https://harald.hoyer.xyz/2016/11/15/dracut-and-cve-2016-4484-cryptsetup-initrd-root-shell/

So the main point is that the issue can be mitigated by setting a bootloader password, which makes sense, and our installer allows that, but I don't believe that it adds the "rd.shell=0" to the kernel command line when you do that, so perhaps it should.
Comment 1 Florian Hubold 2016-11-20 14:57:42 CET
Although the actual shell script should also be "fixed", an example patch is available via http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

CC: (none) => doktor5000, mageia

Comment 2 David Walser 2016-11-20 15:02:36 CET
That patch only applies to Debian.  Supposedly dracut has something with a similar bug, but it's not the same code.
Comment 3 Nicolas Lécureuil 2017-04-27 13:35:24 CEST
thierry, martin, 

any comment about https://bugzilla.redhat.com/show_bug.cgi?id=1395135#c3 ?

Assignee: thierry.vignaud => mageiatools
CC: (none) => mageia

Comment 4 Dave Hodgins 2017-06-25 03:57:40 CEST
In my opinion, this issue is about user education.

Forcing the use of rd.shell=0 when encrypting the root file system has implications in recovering from things like a power failure leaving the
root file system requiring manual repair. Without testing, I'm not sure
if the failure to mount after decrypting would then prevent booting or not.
As such, adding the option to add rd.shell=0 when choosing to encrypt the
root file system should be considered for a future enhancement.

Adding a grub password is a good recommendation, though it should be entirely
the admin's choice.

Adding a bios/uefi password is beyond the scope of software. It's a good suggestion, where the potential attacker has physical access, though it
doesn't prevent them from physically destroying the hard drive. Same with
the usually related security suggestion to block booting from removable media.

Even though cves have been assigned, I don't consider this to be a security
issue, or worthy of being considered as a potential release blocker.

CC: (none) => davidwhodgins

Comment 5 David Walser 2017-07-07 03:14:46 CEST
An according to the council meeting, user education can start with errata.  Can someone that understands this write an erratum entry for this?

Keywords: (none) => FOR_ERRATA6

David Walser 2017-07-07 04:23:53 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 6 papoteur 2017-07-08 10:23:08 CEST
Added a Security issues section in errata
https://wiki.mageia.org/en/Mageia_6_Errata#Security_issues

Boot of system with cyphered partitions - CVE-2016-4484

Failed tries to enter the password of a cyphered partition with LUKS end with a shell. http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

People who want to secure their system have to:

    add a BIOS password
    add a grub password
    add “rd.shell=0” to the kernel command line

CC: (none) => yves.brungard_mageia

papoteur 2017-07-08 10:24:19 CEST

Keywords: FOR_ERRATA6 => IN_ERRATA6

Comment 7 David Walser 2017-12-29 04:17:27 CET
Removing MGA5TOO, since this won't be addressed there.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:37:21 CET

Status comment: (none) => Should be mitigated by the installer
Target Milestone: --- => Mageia 7

David Walser 2019-06-23 19:24:23 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Nicolas Lécureuil 2020-05-22 14:04:01 CEST

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

Nicolas Lécureuil 2020-05-24 00:08:14 CEST

CC: (none) => mageia

David Walser 2020-05-24 00:15:44 CEST

Target Milestone: Mageia 7 => Mageia 8

Comment 8 Nicolas Lécureuil 2020-06-01 17:15:22 CEST
to test this CVE: 

http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
Comment 9 martha welch 2020-08-26 11:01:18 CEST Comment hidden (spam)

CC: (none) => marthawelch1

Comment 10 Aurelien Oudelet 2020-12-27 10:30:49 CET
Why not adding rd.shell=0 to Kernel command line when user wants a GRUB password like Fedora does with Anaconda?

Updating SRPM version number.

Until this, errata for this from M6 should be also part of Erratas M7 and M8.

CC: (none) => ouaurelien
Source RPM: dracut-044-11.mga6.src.rpm => dracut-051-4.mga8.src.rpm

Nicolas Lécureuil 2021-01-09 14:14:30 CET

CC: (none) => tmb

Comment 11 Nicolas Lécureuil 2021-01-09 14:14:50 CET
Martin, Thomas,

what do you think about this one ?
Nicolas Lécureuil 2021-01-12 21:47:30 CET

Whiteboard: MGA7TOO => MGA7TOO, MGA8TOO

Chauncey Reichert 2021-03-25 15:11:47 CET

CC: (none) => dinexat235

Comment 13 Morgan Leijström 2021-03-25 18:24:12 CET
Didnt see this until now.
Per comment 10 for errata

CC: (none) => fri
Keywords: (none) => FOR_ERRATA7, FOR_ERRATA8

Comment 14 Morgan Leijström 2021-03-26 00:22:45 CET
https://wiki.mageia.org/en/Mageia_7_Errata#Security
https://wiki.mageia.org/en/Mageia_8_Errata#Security

This bug makes it easy to destroy things, but the encrypted content is still encrypted.
So encryption is still good enough for must use cases IMO.

Keywords: FOR_ERRATA7, FOR_ERRATA8 => IN_ERRATA7, IN_ERRATA8

Comment 15 David Walser 2021-07-01 18:42:03 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA7TOO, MGA8TOO => MGA8TOO

Comment 16 David GEIGER 2024-06-15 09:22:28 CEST
Removing Mageia 8 from whiteboard due to EOL!

CC: (none) => geiger.david68210
Target Milestone: Mageia 8 => Mageia 9
Whiteboard: MGA8TOO => MGA9TOO

Comment 17 Morgan Leijström 2024-06-15 13:57:49 CEST
It is since long also in mga9 errata
https://wiki.mageia.org/en/Mageia_9_Errata#Security

Target Milestone: Mageia 9 => Mageia 10
Keywords: (none) => IN_ERRATA9


Note You need to log in before you can comment on or make changes to this bug.