CVE-2016-4484 — Improper Authentication in Project Cryptsetup

CWE-287 — Improper Authentication CWE-391 — Unchecked Error Condition8 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

0.5%

top 35.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cryptsetup Project Cryptsetup

Timeline

PublishedJan 23

Latest updateMay 17

Description

The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

▶Debiancryptsetup_project/cryptsetup< 2:1.7.3-2+3

▶NVDcryptsetup_project/cryptsetup2.1.7.3-2

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-gv5v-vgx2-hgvr: The Debian initrd script for the cryptsetup package 2:1↗2022-05-17

▶

CVEList

CVE-2016-4484: The Debian initrd script for the cryptsetup package 2:1↗2017-01-23

▶

OSV

CVE-2016-4484: The Debian initrd script for the cryptsetup package 2:1↗2017-01-23

▶

📋Vendor Advisories

Red Hat

dracut: Brute force attack on LUKS password decryption via initramfs↗2016-11-14

▶

Debian

CVE-2016-4484: cryptsetup - The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows...↗2016

▶

💬Community

Bugzilla

CVE-2016-4484 dracut: Brute force attack on LUKS password decryption via initramfs↗2016-11-15

▶

Bugzilla

CVE-2016-4484 dracut: Incorrect error handling when checking password [fedora-all]↗2016-11-15

▶