Researchers have discovered a vulnerability in Cryptsetup, which is used to encrypt disks in Linux systems, that can lead to an attacker gaining a root shell.
The actual flaw lies in the scripts that set up Linux Unified Key Setup or encryption of the system partition.
Hence this is only exploitable if one has encrypted the system partition while installing Linux. This option is available to Debian and Ubuntu users.
One needs physical access to a machine to exploit this; however, it can be exploited remotely in the case of a cloud environment.
{loadposition sam08}The flaw is caused by incorrect handling of the password check in a script file. When the user exceeds the number of tries allowed, the boot sequence continues normally and continues to try and mount the encrypted partition.
Each time the system tries to mount the partition the user gets more password tries. But finally when the maximum for this is reached, the user is dropped to a root shell. One can thus just hold down the enter key and after a while this shell will appear.
Data is not at risk of theft as the disk has been encrypted. But since the boot partition is typically unencrypted, it can be used to store an executable file with the SetUID option. A local user can then use this later to elevate privileges.
Further, any other disks on the system can be accessed. The encrypted partition can be copied over as well and a brute-force attack can be carried out to access the contents.