91
New Linux Security Flaw Uses Initramfs to Inject Malware
(www.omgubuntu.co.uk)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 07 Jul 2025
91 points (100.0% liked)
Linux
8676 readers
193 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
I'm confused.
Initramfs is unencrypted in /boot when using LUKS with RAID. It has to be, right?
The attacker uses a debug shell to modify the unencrypted boot, so the next time you boot and type your LUKS password, they can gain access.
This doesn't line up with your comment?
How are you going to boot something that's encrypted without input to unlock it?
N
You always "boot something that is unencrypted." You then "mount" the encrypted volumes and load the OS.
This is how people can put an SSH server (dropbear) in initramfs so they can unlock remotely.
The attack is to initramfs, not the encrypted layer.
The order'ish:
I'm well aware. You're proving my point at mount.
But.. your original comment is just.. wrong?
The default LUKS partition scheme is vulnerable.
There is a successful POC, it is a flaw.
This is not just in-memory. This is modifying the unencrypted part of initramfs on disk. Powering off the machine does not remove the exploit.