JP Vossen on 16 Nov 2016 12:03:29 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] root shell

On 11/16/2016 10:04 AM, jeff wrote:
Holding ENTER for 70 seconds gives root shell (LUKS)
Includes fix. Patch should be available already.

technical explanation CVE-2016-4484


But I don't see this as that big a deal. It does NOT allow access to the encrypted data, and as far as I can tell the effect is not any different than booting from a LiveUSB, except that it's slightly easier.

We've always said that once you have physical access the game is over, and while specifically addresses that I still don't see a big difference. Physical access is physical access, even if it's only virtually physical access (i.e., cloud). The game is then over...

The fact is that even on a "whole disk" encrypted system, parts of it are not encrypted. If you can get at those parts--however you do it--you can plant trojans, redirect data streams or whatever else. This vulnerability makes it easier to do that and that's not good, but that's all it does and it looks trivially easy to fix.

--  -------------------------------------------------------------------
JP Vossen, CISSP | |
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --