CVE-2016-4484 - OpenCVE

The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.

No CVSS v3.1

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Cryptsetup Project	Cryptsetup

Configuration 1 [-]

cpe:2.3:a:cryptsetup_project:cryptsetup:*:*:*:*:*:*:*:*

References

Link	Resource
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html	Exploit Mitigation Technical Description Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/11/14/13	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/11/15/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/11/15/4	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/11/16/6	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/94315
https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-01-23T21:00:00

Updated: 2017-01-24T10:57:01

Reserved: 2016-05-04T00:00:00

Link: CVE-2016-4484

JSON object: View

NVD Information

Status : Modified

Published: 2017-01-23T21:59:01.533

Modified: 2017-01-26T02:59:01.877

Link: CVE-2016-4484

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-11T00:00:00", "descriptions": [{"lang": "en", "value": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-01-24T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20161114 CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/14/13"}, {"tags": ["x_refsource_MISC"], "url": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html"}, {"name": "[oss-security] 20161115 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell - Update: Dracut is also vulnerable", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/1"}, {"name": "[oss-security] 20161115 Re: [FD] CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/4"}, {"name": "94315", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94315"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb"}, {"name": "[oss-security] 20161116 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/11/16/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4484", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20161114 CVE-2016-4484: - Cryptsetup Initrd root Shell", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/14/13"}, {"name": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html", "refsource": "MISC", "url": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html"}, {"name": "[oss-security] 20161115 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell - Update: Dracut is also vulnerable", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/15/1"}, {"name": "[oss-security] 20161115 Re: [FD] CVE-2016-4484: - Cryptsetup Initrd root Shell", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/15/4"}, {"name": "94315", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94315"}, {"name": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb", "refsource": "MISC", "url": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb"}, {"name": "[oss-security] 20161116 Re: CVE-2016-4484: - Cryptsetup Initrd root Shell", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/11/16/6"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4484", "datePublished": "2017-01-23T21:00:00", "dateReserved": "2016-05-04T00:00:00", "dateUpdated": "2017-01-24T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cryptsetup_project:cryptsetup:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3238657-B9F4-47C6-9A21-67DD2D11AA8B", "versionEndIncluding": "2.1.7.3-2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password."}, {"lang": "es", "value": "La secuencia de comandos initrd de Debian para el paquete cryptsetup 2:1.7.3-2 y versiones anteriores permite a atacantes f\u00edsicamente pr\u00f3ximos obtener acceso a shell a trav\u00e9s de muchos intentos de inicio de sesi\u00f3n con una contrase\u00f1a no v\u00e1lida."}], "id": "CVE-2016-4484", "lastModified": "2017-01-26T02:59:01.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-23T21:59:01.533", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Technical Description", "Third Party Advisory"], "url": "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/11/14/13"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/11/15/4"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/11/16/6"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/94315"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}