CVE-2016-4484 - OpenCVE

The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.

No CVSS v4.0

No CVSS v3.1

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cryptsetup Project	Cryptsetup

Configuration 1 [-]

cpe:2.3:a:cryptsetup_project:cryptsetup:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html
http://www.openwall.com/lists/oss-security/2016/11/14/13
http://www.openwall.com/lists/oss-security/2016/11/15/1
http://www.openwall.com/lists/oss-security/2016/11/15/4
http://www.openwall.com/lists/oss-security/2016/11/16/6
http://www.securityfocus.com/bid/94315
https://access.redhat.com/articles/2786581
https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb
https://nvd.nist.gov/vuln/detail/CVE-2016-4484
https://www.cve.org/CVERecord?id=CVE-2016-4484

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-01-23T21:00:00

Updated: 2024-08-06T00:32:25.721Z

Reserved: 2016-05-04T00:00:00

Link: CVE-2016-4484

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-01-23T21:59:01.533

Modified: 2017-01-26T02:59:01.877

Link: CVE-2016-4484

Redhat

Severity : Moderate

Publid Date: 2016-11-14T00:00:00Z

Links: CVE-2016-4484 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-11T00:00:00", "descriptions": [{"lang": "en", "value": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-01-24T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20161114 CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/14/13"}, {"tags": ["x_refsource_MISC"], "url": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html"}, {"name": "[oss-security] 20161115 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell - Update: Dracut is also vulnerable", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/1"}, {"name": "[oss-security] 20161115 Re: [FD] CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/4"}, {"name": "94315", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94315"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb"}, {"name": "[oss-security] 20161116 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/16/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4484", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20161114 CVE-2016-4484: - Cryptsetup Initrd root Shell", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/14/13"}, {"name": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html", "refsource": "MISC", "url": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html"}, {"name": "[oss-security] 20161115 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell - Update: Dracut is also vulnerable", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/15/1"}, {"name": "[oss-security] 20161115 Re: [FD] CVE-2016-4484: - Cryptsetup Initrd root Shell", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/15/4"}, {"name": "94315", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94315"}, {"name": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb", "refsource": "MISC", "url": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb"}, {"name": "[oss-security] 20161116 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/16/6"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:32:25.721Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20161114 CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/11/14/13"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html"}, {"name": "[oss-security] 20161115 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell - Update: Dracut is also vulnerable", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/1"}, {"name": "[oss-security] 20161115 Re: [FD] CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/4"}, {"name": "94315", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94315"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb"}, {"name": "[oss-security] 20161116 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/11/16/6"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4484", "datePublished": "2017-01-23T21:00:00", "dateReserved": "2016-05-04T00:00:00", "dateUpdated": "2024-08-06T00:32:25.721Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cryptsetup_project:cryptsetup:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3238657-B9F4-47C6-9A21-67DD2D11AA8B", "versionEndIncluding": "2.1.7.3-2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password."}, {"lang": "es", "value": "La secuencia de comandos initrd de Debian para el paquete cryptsetup 2:1.7.3-2 y versiones anteriores permite a atacantes f\u00edsicamente pr\u00f3ximos obtener acceso a shell a trav\u00e9s de muchos intentos de inicio de sesi\u00f3n con una contrase\u00f1a no v\u00e1lida."}], "id": "CVE-2016-4484", "lastModified": "2017-01-26T02:59:01.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-23T21:59:01.533", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/11/14/13"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/4"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/11/16/6"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/94315"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "dracut: Brute force attack on LUKS password decryption via initramfs", "id": "1395134", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1395134"}, "csaw": false, "cvss": {"cvss_base_score": "7.2", "cvss_scoring_vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "draft"}, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-391", "details": ["The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.", "A password-check vulnerability was found in the way initramfs, generated by dracut, handles the decryption of LUKS-encrypted data partitions. An attacker having physical access to the machine or access to the boot console may be able to brute-force the LUKS password using the dracut shell, and may be able to copy off the encrypted partition for an offline brute-force attack or, in certain conditions, install malicious boot images in the /boot partition."], "mitigation": {"lang": "en:us", "value": "Versions of dracut package shipped with Red Hat Enterprise Linux 6 and 7 support kernel command line options which allow a shell to be presented when it is not able to mount the root device. (As in case of a failed root partition decryption attempt by cryptsetup, when wrong password is entered multiple times).\nIn Red Hat Enterprise Linux 6, this is enabled by \"rdshell\" option on the kernel command line. However default installs do not enable this option. Hence when several attempts to decrypt the root partition fails, it will cause a kernel panic.\nIn Red Hat Enterprise Linux 7, this is enabled by the \"rd.shell\" option. Default behavior here is to drop to a shell when root device mount fails, which can be disabled by adding \"rd.shell=0\" to the kernel command line. \nIn either of the cases, a user having access to the grub console, can edit the kernel command line and re-enable his access. Red Hat Product Security Team strongly advocates enabling grub passwords as well BIOS passwords to protect against this."}, "name": "CVE-2016-4484", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "dracut", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "dracut", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2016-11-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-4484\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4484\nhttp://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html\nhttps://access.redhat.com/articles/2786581"], "statement": "In Red Hat Enterprise Linux and Fedora, the scripts used during boot time to ask for user password and decrypt the drive are part of the dracut package. They used to generate the Initial ramdisk (initramfs) and are a part of the initramfs image file.\nThe attacker needs to have physical access to the machine in order to exploit this flaw. The attack consists of gaining access to the shell after wrong luks password has been entered during the boot process. Once shell access is obtained various brute force attacks (both manual and automated) can be carried out. The contents of the drive can also be copied off to do conduct offline brute force attacks on another computer.\nRed Hat Product Security encourages users of Red Hat Enterprise Linux 6 and 7 to use the mitigation described in the link below. No updated packages are currently available.\nFor more information please refer to: https://access.redhat.com/articles/2786581", "threat_severity": "Moderate"}