CPSD CryptoPro Secure Disk Integrity Validation Bypass Vulnerability Allowing Root Access

A vulnerability exists in CPSD CryptoPro Secure Disk versions prior to 7.6.6 and 7.7.1, allowing an attacker with physical access to the computer or hard drive to manipulate files on an unencrypted partition. This could lead to undetected, persistent root access within the application. The vulnerability arises because the Linux kernel's Integrity Measurement Architecture (IMA) does not validate configuration files, enabling unauthorized changes that could be exploited to execute arbitrary code as the root user.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with root privileges, potentially leading to unauthorized access and manipulation of data within the application.

Reproduction

To reproduce this vulnerability, access the unencrypted partition on the hard disk by booting from an external medium or by removing the hard disk and mounting it to another system. Once access is gained, bypass the IMA by creating an editable configuration file for the DHCP daemon that includes a reverse shell command. After restarting the host machine, the reverse shell will connect back to the attacker's machine, providing root access.

Remediation

Users can update to CPSD CryptoPro Secure Disk versions 7.6.6 or 7.7.1, both of which include the necessary patch. If immediate patching is not possible, the PBA partition can be encrypted to prevent unauthorized changes. Encryption can be activated through the 'Client Security/Verschiedenes/PBA Linux Partition verschlüsseln' option.