A vulnerability (CVE-2021-33909) in the Linux kernel’s filesystem layer that may allow local, unprivileged attackers to gain root privileges on a vulnerable host has been unearthed by researchers.
“Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable,” said Bharat Jogi, Senior Manager, Vulnerabilities and Signatures, Qualys.
They have also flagged CVE-2021-33910, a closely related systemd vulnerability that could lead to a denial of service condition.
About the vulnerabilities (CVE-2021-33909 and CVE-2021-33910
The source of both flaws is the incorrect handling of long path names.
“The first vulnerability (CVE-2021-33909) is an attack against the Linux kernel. An unprivileged local attacker can exploit this vulnerability by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. A successful attack results in privilege escalation,” the Red Hat security team explained.
“The second vulnerability (CVE-2021-33910) is an attack against systemd (the system and service manager) and requires a local attacker with the ability to mount a filesystem with a long path. This attack causes systemd, the services it manages, and the entire system to crash and stop responding.”
Qualys researchers have dubbed CVE-2021-33909 “Sequoia” – “a pun on the bug’s deep directory tree that yields root privileges” – and said that all Linux kernel versions from 2014 (Linux 3.16) onwards are vulnerable.
More technical details, an analysis of the flaw, a PoC, exploitation details and mitigations are included in Qualys’s security advisory. Additional details and a PoC video are available here.
Patches are available
Qualys sent the advisories for the two flaws to Red Hat Product Security in early June, and Red Hat sent the patches they wrote to the linux-distros@openwall and the security@kernel mailing list earlier this month.
CVE-2021-33909 affects Red Hat Enterprise Linux 8, 7, and 6, and CVE-2021-33910 affects Red Hat Enterprise Linux 8.
“Further, any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted,” the company said.
They provided a vulnerability detection script customers can used to determine if their system is currently vulnerable, and advised customers running affected versions of Red Hat products to apply the available updates immediately.
The Debian Project also recommends upgrading one’s linux and systemd packages.