use_of_untrusted_Live_system_found_on_local_hard-disk.mdwn 943 Bytes
Newer Older
1
[[!meta date="Sun, 07 Feb 2009 18:51:24 +0000"]]
amnesia's avatar
amnesia committed
2
[[!meta title="Possible use of an untrusted Live system found on local hard-disk"]]
3
[[!pagetemplate template="news.tmpl"]]
amnesia's avatar
amnesia committed
4

amnesia's avatar
amnesia committed
5
[[!tag security/fixed]]
amnesia's avatar
amnesia committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

live-initramfs boot scripts, that are used in amnesia, can boot an
untrusted Live system found on the local hard-disk, rather than the
one present on the USB stick on CD, as could be expected.

This can only happen in the (pretty rare) case when Linux needs more
than 15 seconds to make the legitimate USB stick or CD ready.

# Impact

Booting another Live system than the one you think, without being
told, can lead to any kind of information leak, anonymity break, etc.

# Solution

None yet. Either build your own images from Git, or wait for the
imminent 0.4.2 release.

# Mitigation

Do not use amnesia on untrusted computers.

# Affected versions

Any Debian Live-based system, including every amnesia release until,
and including, 0.4.1.