Malware, Network Security, Vulnerability Management

Linux flaw exposed in a minute by pressing enter key

Researchers have discovered a major vulnerability in the Cryptesetup utility that can impact many GNU/Linux systems, which is activated by pressing the enter key for about 70 seconds.

The Cryptesetup, which is is utility used to conveniently setup disk encryption based on DMCrypt kernel module, issue (CVE-2016-4484) was reported by Hector Marco and Ismael Ripoll. If left unfixed attackers can copy, modify or destroy a device's hard disk and set up a system to pull data off the computer.

“The attacker just have to press and keep pressing the [Enter] key at the LUKS password prompt until a shell appears, which occurs after 70 seconds approx. The fault is caused by an incorrect handling of the password check in the script file /scripts/local-top/cryptroot. When the user exceeds the maximum number of password tries (by default 3), then boot sequence continues normally,” the researchers wrote.

The problem can be fixed by stopping the boot sequence when the number of allowed password attempts has been surpassed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.