Michael Fincha, from Pulse Security, has identified a vulnerability in the implementation of the mechanism for unlocking full-dilation shifting. This vulnerability allows an attacker with physical access to a computer to execute their own commands with Root rights during the early stage of loading. By manually removing the lock from the encrypted disk, the attacker can gain full access to the information stored on the disks. The vulnerability affects Linux systems that use the LUKS encryption format (Linux Unified Key Setup). It also affects mechanisms for protecting keys based on TPM (Trusted Platform Module) and components such as Clevis, Dracut, and Systemd for automatic unlocking during download. [1] [2] [3]
This attack method is similar to a vulnerability identified in 2016 in the Cryptsetup package. In that case, it was possible to access Root’s rights by pressing the Enter key in response to a password input request. The new version of the attack was discovered during an audit, which tested the system’s reaction to Enter key presses generated by a keyboard emulator with minimal delay between each press. A successful demonstration of the attack was performed on a configuration based on Ubuntu 20.04. This configuration, commonly used on remote servers requiring automated disk encryption, utilizes the Clevis framework and TPM keys. However, manual password entry for unlocking encrypted disks is still available as a fallback option in case the automated unlock process fails. [4]