Major Linux security hole gapes open

dcdataPublic, Uncategorized

An old Linux security ‘feature’ script, which activates LUKS disk encryption, has been hiding a major security hole in plain sight.

Sometimes Linux users can be smug about their system’s security. And sometimes a major hole that’s been hiding in Linux since about version 2.6 opens up and in you fall.

Cryptosetup Security Hole Code
Please do not code this way. When a system fails, falling through to a root shell is not a good idea.

The security hole this time is with how almost all Linux distributions implement Linux Unified Key Setup-on-disk-format (LUKS). LUKS is the standard mechanism for implementing Linux hard disk encryption. LUKS is often put into action with Cryptsetup. It’s in Cryptsetup default configuration file that the problem lies and it’s a nasty one. Known Linux distributions with this bug include Debian, Ubuntu, Fedora, Red Hat Enterpise Linux (RHEL), and SUSE Linux Enterprise Server (SLES).

 

Full Story