Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upluks, hold down enter vuln in 3.2 CVE-2016-4484 #2907
Comments
andrewdavidwong
added
bug
security
labels
Jul 16, 2017
andrewdavidwong
added this to the Release 3.2 updates milestone
Jul 16, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
xahare commentedJul 13, 2017
•
edited
Edited 1 time
-
xahare
edited Jul 13, 2017 (most recent)
Qubes OS version (e.g.,
R3.2):3.2 testing
Affected TemplateVMs (e.g.,
fedora-23, if applicable):apparently dom0, so fedora-23.
Expected behavior:
boot to luks prompt to enter disk passphrase, hold down enter, nothing happens
Actual behavior:
boot to luks prompt to enter disk passphrase, hold down enter, get initrd root shell
Steps to reproduce the behavior:
boot to luks prompt, hold down enter for, in my case 3 minutes and 20 seconds.
General notes:
see CVE-2016-4484
I thought this was discussed on the list, but a search on the cve didnt find anything.
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
fedora 24 is mentioned as vulnerable at the time of that writing. is this already fixed in fedora 25? if so will qubes 3.2.1 be affected?
mitigations
possible mitigations, havent tried
adding yet another password would be a pain to users. rd.shell=0 is probably the best mitigation for those without aem.
severity is minor, given that the evil maid can open up a laptop. but, the fix is so easy, it would be silly not to.
Related issues: