Researchers have discovered a major vulnerability in the Cryptesetup utility that can impact many GNU/Linux systems, which is activated by pressing the enter key for about 70 seconds.
The Cryptesetup, which is is utility used to conveniently setup disk encryption based on DMCrypt kernel module, issue (CVE-2016-4484) was reported by Hector Marco and Ismael Ripoll. If left unfixed attackers can copy, modify or destroy a device’s hard disk and set up a system to pull data off the computer.
“The attacker just have to press and keep pressing the [Enter] key at the LUKS password prompt until a shell appears, which occurs after 70 seconds approx. The fault is caused by an incorrect handling of the password check in the script file /scripts/local-top/cryptroot. When the user exceeds the maximum number of password tries (by default 3), then boot sequence continues normally,” the researchers wrote.
The problem can be fixed by stopping the boot sequence when the number of allowed password attempts has been surpassed.