A report published by ERNW demonstrates the exploit on Ubuntu 25.04 and Fedora 42, though not all Linux distributions are affected, such as OpenSUSE Tumbleweed.
So how does it work?
Attackers with physical access to a Linux system can access a debug shell simply by entering the wrong decryption password several times in a row. On Ubuntu, they hit esc at the password prompt, punch in a few key combos, and bam: debug shell appears.
It’s through this low-level debug shell that attackers can compromise an encrypted system.
They can mount a USB drive with tools that let them modify the initramfs (Initial RAM Filesystem – a temporary system run during boot to prep the main OS) to inject malicious code, and then repack it – without tripping any security flags.
ERNW report: Insecure Boot: Injecting initramfs from a debug shell – Insinuator.net
The report also states that while this debug mode in Fedora doesn’t have the USB modules necessary for the attack, the GRUB rescue initramfs does have them.
Personal opinion: Evil maid attack that could maybe be resolved with a self-signed UKI, although that may be complicated to setup for some people. It’s also first time I’m hearing about this particular vector, but it may already have been a known issue.
blogspam over a “security vulnerability”
2 Likes
Makes sense. Thanks for your input.
Physical access requirement for the exploit… it’s fine…
Physical access exploits are the scariest! Ubuntu is vulnerable to several of these:
1 Like
Sure… they can try to get to me in a remote rural island. You guys get next day Amazon delivery. I am so far away that the fastest I can get from offshore US… is 2 weeks… 10 days if I pay for the “premium shipping”.
Theft for resale/fencing will always be likeliest scenario in most places. Dont be the low hanging fruit with no FDE.
2 Likes
Is that really enough though?
Maybe the teenage hooligan breaking into your house is going to pull out a can of liquid nitrogen and 1,195$ Passware Key Recovery Forensics kit to mount a cold boot attack. I saw a group of kids tampering with my power lines the other day, I think they were trying to extract my AES encryption keys by measuring power consumption, but for some reason they ran off with the cables.
Who knows with burglars these days.
Are you really assuming people are very smart and very educated with highly technical skills and not junkies looking for an easy cash out with the copper in your power lines?
I mean sure if you are a journalist/politician/activist with a real high threat model. But most people are that and hackers able to do extract my AES encryption keys by measuring power consumption, including the noise of all appliances indoors? Dont the WiFis of the world also use AES?
1 Like