How does your encrypted Linux system respond to the Cryptsetup bug?

Decrypt Manjaro 16.10 system partition

The news making the rounds in the Linux security arena is the one about a bug discovered in Cryptsetup, the program used to set up disk encryption in Linux.

The bug, detailed here, was discovered by Hector Marco and Ismael Ripoll.

As described by the authors, the bug is basically the result of incorrect error handling after several failed attempts to decrypt a LUKS encrypted disk. And the failure could be triggered when a user inputs the wrong encryption passphrase, or repeatedly presses the ENTER key.

In their report, they noted that:

An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible. Just to mention some exploitation strategies:

Their report appears to be based on tests of Debian and Ubuntu systems. From my own experience, I can report that every major distribution seems to handle failed hard disk decryption a bit differently. To start with Ubuntu, the system will drop to an initramfs shell after 181 failed attempts (you can simulated it by pressing the ENTER key that many times). If you have such a system, give it a try. After 181 failed attempts, you’ll be presented with a shell like the one shown in Figure 1.

Decrypt Ubuntu 16.10 system partition
Figure 1: Result of failed attempt to decrypt Ubuntu 16.10 system partition

With Fedora 25 Rawhide, you have just three attempts before the system gives you a shell. And that has been the case with Fedora systems for as long as I can remember. Compare that to the 181 attempts on Ubuntu 16.10.

Decrypt Fedora 25 Rawhide system partition
Figure 2: Result of failed attempt to decrypt Fedora 25 Rawhide system partition

Manjaro 16.10, which uses the Calamares installer, is even less forgiving. It gives you just one attempt before it drops you into a shell.

Decrypt Manjaro 16.10 system partition
Figure 3: Result of failed attempt to decrypt Manjaro 16.10 system partition

In all three case, the encrypted system partition is still encrypted, so you data is still save. However, as detailed in the bug report, unencrypted partitions, like ones mounted at /boot and /boot/efi (on UEFI systems) might still be open for exploitation. But how far can an attacker go on such system, when the system partition is still encrypted? Not far, I hope.

Related Post:  How to install Ubuntu 11.04 on a btrfs file system

A bug always has a solution, and in this case, the authors provided an easy-to-apply workaround. I’ve expanded on it a bit in the code block below. If after applying the workaround you discover that it does not work, welcome to the club. It didn’t work on all the encrypted systems I applied it on – Ubuntu 16.10, Manjaro 16.10, and Fedora Rawhide. By the way, all three distributions were running either Cryptsetup 1.7.2 or 1.7.3.

#
# You might want to backup your /etc/grub/default file before executing this command

sudo sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub

# Follow that with this on Ubuntu and Manjaro on no-UEFI systems

sudo grub-install /dev/sda

# On UEFI systems on Ubuntu and Manjaro, the second command should be
# Change /dev/sdaX to match your systems /boot/efi partition 

sudo grub-install /dev/sdaX

# On Fedora Rawhide, the second command on no-UEFI systems should be 

sudo grub2-install /dev/sda

# On Fedora Rawhide, the second command on UEFI systems should be
# Change /dev/sdaX to match your systems /boot/efi partition

sudo grub2-install /dev/sdaX

#

If the workaround stopped your system from dropping into a shell on failed decryption attempts, which means it worked, post a comment. I’ve contact the authors with my findings, so I’ll update this article when I get some feedback from them. Perhaps there’s something I missed.

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Newsletter: Subscribe for updates

Subscribe
Notify of
guest
3 Comments
Inline Feedbacks
View all comments
SaiYan
SaiYan
5 years ago

Hi,

I think i found a workaround on Fedora.
You can add the rd.shell=0 option to your Grub command line to disable the dracut shell.

– Edit the /etc/grub2.cfg file
– Add rd.shell=0 to the /vmlinuz… line
– Reboot and test it

That works for me.

SaiYan

Get the latest

On social media

Security distros

Hacker
Linux distros for hacking and pentesting

Crypto mining OS

Bitcoin
Distros for mining bitcoin and other cryptocurrencies

Crypto hardware

MSI GeForce GTX 1070
Installing Nvidia GTX 1070 GPU drivers on Ubuntu

Disk guide

LVM
Beginner's guide to disks & disk partitions in Linux

Bash guide

Bash shell terminal
How to set the PATH variable in Bash
Categories
Archives
3
0
Hya, what do you think? Please comment.x
()
x
Algorithm 2020

Did you get your ticket yet?

Algorithm 2022 is a 3-day conference on blockchain, cryptocurrencies and AI set for Feb. 10 – 12, 2022, in Dallas. Speakers from the US Air Force, Ministry of Digital Transformation, Ukraine, and more. click that button to learn more and get your ticket. Use BSD20 code for 20% off ticket price.