It was just reported that a bug filed on Ubuntu Launchpad (dubbed Local authorization bypass by using suspend mode) about a month ago has been confirmed by several users. The bug allows an individual with physical access to a machine to evade the lock screen simply by removing its hard drive.
The bug could allow access to the latest user opened applications which are highly likely to contain sensitive details such as documents, all sorts of private information, passwords.
Apparently, as reported on Ubuntu Launchpad, the bug has been tested on the following:
- Ubuntu 14.04
- Ubuntu 16.04
- Ubuntu 16.10
- Ubuntu 17.04
It has been confirmed that the bug affects all of the above-mentioned versions. It is still not known whether it affects other versions of Ubuntu as well as other distros. However, experts suspect that the bug may compromise other distributions that are based on Ubuntu 16.04, like Linux Mint 18. One user has confirmed that the bug also affects Mate 18.04.
How is an attack based on this bug possible?
As explained in the bug description:
1. open some applications (LibreOffice, browsers, editors, …)
2. go to suspend mode
3. extract hard drive
4. wake up
5. after that can be several behaviors:
* Ubuntu show lock screen. Enter ANY password -> access granted.
* Ubuntu show lock screen. Enter ANY password, access denied. Fast press the hardware shutdown button -> access granted.
* Ubuntu does not show lock screen, only black screen. We can repeat actions like in previous paragraphs
Attackers may also try the password and be denied access. In case this happens, they can fast press the hardware shut down button and obtain access nonetheless. Another possible scenario is that no lock screen appears but instead the screen goes black in which case the steps described above can still be put into motion.
Marc Deslauriers, a security engineer at Canonical, believes this bug will most likely never be fixed simply because having physical access means an attacker could access the hard disk directly or replace the password on it and unlock the machine anyway.
However, an Ubuntu user has pointed out that the screensaver software could handle the issue to prevent unauthorized access. “I believe that screensaver should handle exceptions in the underlying libraries in such a way to prevent unauthorized access even if underlying library is faulty,” the user said.
Another user underlined that “the system must not give an access to the system with wrong passwords“, asking Ubuntu developers to “pay attention” and “don’t ignore the issue“.