If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
The Linux Thing
It is worth looking at what is required to actually exploit this
vulnerability. The conditions a An attacker must have physical access to the system's console to be able to type the famous backspaces. In general, once an attacker can actually put hands onto a target system, the game is already lost. That is no excuse for a trivially exploited vulnerability in the bootloader's authentication code, but it does add a bit of perspective. Note that you may have physical access to the Linux-based entertainment system in your airplane seat, but you almost certainly lack access to the console. The attacker must be able to reach the bootloader's authentication prompt. That generally means being able to force a running Linux system to reboot so that the bootloader actually runs. If the system is configured to allow unprivileged users to cause a reboot, then complaints of "denial of service" are already moot; service can be denied at any time. Of course, that can also be done by pulling the plug since, as has already been noted, the attacker has physical access to the system. The system must be running the GRUB2 bootloader. If it's an x86 system, chances are that it is indeed GRUB2 that is installed there. Other architectures tend to use other bootloaders, though. Many of the embedded systems that might be most at risk from this type of vulnerability will thus not be running the vulnerable software. The bootloader must actually be configured for password-based access. While lacking hard data, your editor would guess that a small minority of systems booting with GRUB2 have passwords set on them. In most cases, simply rebooting allows full access to the bootloader and its capabilities — no exploit required. The system must be running an exploitable version of GRUB2. This part is relatively easy — the vulnerability has been present since version 1.98, released in late 2009. Given the above, it seems unlikely that this vulnerability has exposed "any Linux system" to attack. Instead, it has exposed a small number of systems that are configured with bootloader security, but that also allow physical access to a console keyboard. For some of those systems, this vulnerability constitutes a true emergency. For most of us, though, there is no particular need to go into red alert. |
Ads |
#2
|
|||
|
|||
The Linux Thing
On 21/12/2015 23:19, Cy Burnot wrote:
It is worth looking at what is required to actually exploit this vulnerability. The conditions a rubbish snipped What the **** has this got to do with Windows 10? Do you guys really suffer from Windows 10 Withdrawal symptoms? If so then go and buy a new low spec machine from DELL and you will have your own copy of Windows 10 pre-installed. Go and **** yourself if this is not what you came here to read. -- 1. /*This post contains rich text (HTML). if you don't like it then you can kill-filter the poster without crying like a small baby.*/ 2. /*This message is best read in Mozilla Thunderbird as it uses 21st century technology.*/ |
Thread Tools | |
Display Modes | Rate This Thread |
|
|