Re: About CVE-2016-4484: - Cryptsetup Initrd root Shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Am 16.11.2016 um 00:15 schrieb Michael Kjörling:
On 15 Nov 2016 20:42 +0100, from sven@xxxxxxxxxxxxxxxxxxxxx (Sven Eschenberg):
Either way, you need the BIOS administrator password to get to an
alternative boot device.

I wonder however how securely that password is stored?

Almost certainly not securely at all. It certainly is easy to clear
once you have physical access: All you need to do is get access to the
motherboard and either remove/disconnect the CMOS battery, or set a
jumper to a "CLEAR CMOS" or similarly labeled position. I would expect
some modicum of protection such that the password isn't stored in
clear text in NVRAM or flash readable to all and sundry, but I
wouldn't expect anything much more sophisticated than an XOR with a
fixed value, a CRC-32 checksum, or similar. The exact details almost
certainly vary with BIOS implementations and there's no guarantee that
there aren't implementations out there that actually do the right
thing, but BIOS password storage methods is hardly a distinguishing
feature among motherboard manufacturers. Don't expect a proper PBKDF.

Think of the BIOS passwords (both user and administrator) not really
as tamper-proofing measures as much as a tamper-evidence measures.

Feel free to mentally s/BIOS/UEFI/g above if that's your
open-at-the-top-container of hot-breakfast-beverage-of-choice.


That was more of a rhetoric question, to be honest. I have substantial doubts that passwords in the very space limited NVRAM are somehow cryptographically hashed or something. If you can recover the PW from the stored data however, then even tamper-evidence is effectively gone. isn't it?

And, let's call it firmware, that should cover for both, UEFI and classic BIOS, I think ;-).

The CVE however assumed, that you can not simply access the internal parts of the machine. Still, more fuzz than substance in that CVE, if you ask me.

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux