CVE-2016-4484 Cryptsetup Project CVE debrief

Who should care

Administrators and maintainers of Debian systems using cryptsetup in initrd/boot workflows, especially on laptops, kiosks, appliances, and servers where local physical access is possible.

Technical summary

NVD classifies this as CWE-287 (Improper Authentication) with CVSS 3.0 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerable condition is described as a Debian initrd script in cryptsetup package 2:1.7.3-2 and earlier allowing physically proximate attackers to gain shell access via many login attempts with an invalid password. NVD also links an upstream patch commit and related advisory discussion.

Defensive priority

Medium overall; prioritize quickly if affected systems are physically accessible or left unattended.

Recommended defensive actions

• Identify Debian systems using cryptsetup package versions at or below 2:1.7.3-2 in initrd contexts.
• Apply the upstream fix or a vendor backport that removes the shell-access condition.
• Restrict physical and console access to devices that can be reached during boot.
• Verify boot-time unlock and recovery behavior after remediation to ensure failed password attempts do not expose a shell.
• Track the linked upstream patch and advisory discussions for any package-specific upgrade guidance.

Evidence notes

The NVD record for CVE-2016-4484 lists the vulnerable CPE range up to cryptsetup_project:cryptsetup 2:1.7.3-2 and assigns CVSS 3.0 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H with CWE-287. The reference set includes an upstream GitLab patch commit and multiple oss-security mailing-list discussions dated November 2016, which align with pre-publication remediation activity.

Official resources