CVE-2016-4484

A password-check vulnerability was found in the way initramfs, generated by dracut, handles the decryption of LUKS-encrypted data partitions. An attacker having physical access to the machine or access to the boot console may be able to brute-force the LUKS password using the dracut shell, and may be able to copy off the encrypted partition for an offline brute-force attack or, in certain conditions, install malicious boot images in the /boot partition.

Mitigation

Versions of dracut package shipped with Red Hat Enterprise Linux 6 and 7 support kernel command line options which allow a shell to be presented when it is not able to mount the root device. (As in case of a failed root partition decryption attempt by cryptsetup, when wrong password is entered multiple times).

In Red Hat Enterprise Linux 6, this is enabled by "rdshell" option on the kernel command line. However default installs do not enable this option. Hence when several attempts to decrypt the root partition fails, it will cause a kernel panic.

In Red Hat Enterprise Linux 7, this is enabled by the "rd.shell" option. Default behavior here is to drop to a shell when root device mount fails, which can be disabled by adding "rd.shell=0" to the kernel command line.

In either of the cases, a user having access to the grub console, can edit the kernel command line and re-enable his access. Red Hat Product Security Team strongly advocates enabling grub passwords as well BIOS passwords to protect against this.