cm0002@programming.dev to Linux@programming.dev · 2 days agoNew Linux Security Flaw Uses Initramfs to Inject Malwarewww.omgubuntu.co.ukexternal-linkmessage-square28fedilinkarrow-up193arrow-down14
arrow-up189arrow-down1external-linkNew Linux Security Flaw Uses Initramfs to Inject Malwarewww.omgubuntu.co.ukcm0002@programming.dev to Linux@programming.dev · 2 days agomessage-square28fedilink
minus-squarefmstrat@lemmy.nowsci.comlinkfedilinkEnglisharrow-up3arrow-down2·edit-21 day agoI’m confused. Initramfs is unencrypted in /boot when using LUKS with RAID. It has to be, right? The attacker uses a debug shell to modify the unencrypted boot, so the next time you boot and type your LUKS password, they can gain access. This doesn’t line up with your comment?
minus-squarejust_another_person@lemmy.worldlinkfedilinkarrow-up2arrow-down3·1 day agoHow are you going to boot something that’s encrypted without input to unlock it? N
minus-squarefmstrat@lemmy.nowsci.comlinkfedilinkEnglisharrow-up5arrow-down2·edit-21 day agoYou always “boot something that is unencrypted.” You then “mount” the encrypted volumes and load the OS. This is how people can put an SSH server (dropbear) in initramfs so they can unlock remotely. The attack is to initramfs, not the encrypted layer. The order’ish: Boot Initramfs loads, gives you the LUKS prompt Initramfs decrypts/mounts OS OS loads
minus-squarejust_another_person@lemmy.worldlinkfedilinkarrow-up1arrow-down3·1 day agoI’m well aware. You’re proving my point at mount.
minus-squarefmstrat@lemmy.nowsci.comlinkfedilinkEnglisharrow-up3arrow-down1·21 hours agoBut… your original comment is just… wrong? This isn’t a critical security flaw unless you have the worst partition scheme on your encrypted volumes imaginable. The default LUKS partition scheme is vulnerable. It’s not even a process flaw at that point, just “possible”. There is a successful POC, it is a flaw. you can compromise disks once encrypted because everything is happening in an in-memory boot process. This is not just in-memory. This is modifying the unencrypted part of initramfs on disk. Powering off the machine does not remove the exploit.
I’m confused.
Initramfs is unencrypted in /boot when using LUKS with RAID. It has to be, right?
The attacker uses a debug shell to modify the unencrypted boot, so the next time you boot and type your LUKS password, they can gain access.
This doesn’t line up with your comment?
How are you going to boot something that’s encrypted without input to unlock it?
N
You always “boot something that is unencrypted.” You then “mount” the encrypted volumes and load the OS.
This is how people can put an SSH server (dropbear) in initramfs so they can unlock remotely.
The attack is to initramfs, not the encrypted layer.
The order’ish:
I’m well aware. You’re proving my point at mount.
But… your original comment is just… wrong?
The default LUKS partition scheme is vulnerable.
There is a successful POC, it is a flaw.
This is not just in-memory. This is modifying the unencrypted part of initramfs on disk. Powering off the machine does not remove the exploit.