this post was submitted on 07 Jul 2025
88 points (96.8% liked)

Linux

8334 readers
292 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
88
New Linux Security Flaw Uses Initramfs to Inject Malware (www.omgubuntu.co.uk)
submitted 2 days ago by cm0002@programming.dev to c/linux@programming.dev
28 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world 47 points 2 days ago (16 children)

Attackers with physical access to a Linux system can access a debug shell simply by entering the wrong decryption password several times in a row.

Yeah, no duh. This isn't a critical security flaw unless you have the worst partition scheme on your encrypted volumes imaginable. It's not even a process flaw at that point, just "possible".

This is essentially what the Israeli government did to Android a decade ago with Pegasus: if you can get in front of the bootloader, you can compromise disks once encrypted because everything is happening in an in-memory boot process.

Same way you can hotwire cars. It's not new.

[–] fmstrat@lemmy.nowsci.com 1 points 2 days ago* (last edited 2 days ago) (4 children)

I'm confused.

Initramfs is unencrypted in /boot when using LUKS with RAID. It has to be, right?

The attacker uses a debug shell to modify the unencrypted boot, so the next time you boot and type your LUKS password, they can gain access.

This doesn't line up with your comment?

[–] just_another_person@lemmy.world -2 points 1 day ago (3 children)

How are you going to boot something that's encrypted without input to unlock it?

N

[–] fmstrat@lemmy.nowsci.com 4 points 1 day ago* (last edited 1 day ago) (1 children)

You always "boot something that is unencrypted." You then "mount" the encrypted volumes and load the OS.

This is how people can put an SSH server (dropbear) in initramfs so they can unlock remotely.

The attack is to initramfs, not the encrypted layer.

The order'ish:

  • Boot
  • Initramfs loads, gives you the LUKS prompt
  • Initramfs decrypts/mounts OS
  • OS loads
[–] just_another_person@lemmy.world -3 points 1 day ago (1 children)

I'm well aware. You're proving my point at mount.

[–] fmstrat@lemmy.nowsci.com 2 points 1 day ago

But.. your original comment is just.. wrong?

This isn't a critical security flaw unless you have the worst partition scheme on your encrypted volumes imaginable.

The default LUKS partition scheme is vulnerable.

It's not even a process flaw at that point, just "possible".

There is a successful POC, it is a flaw.

you can compromise disks once encrypted because everything is happening in an in-memory boot process.

This is not just in-memory. This is modifying the unencrypted part of initramfs on disk. Powering off the machine does not remove the exploit.

load more comments (1 replies)
load more comments (1 replies)
load more comments (12 replies)