Sequoia: LPE Vulnerability CVE-2021-33909 in Linux

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers from Qualsys have discovered a Local Privilege Escalation (LPE) vulnerability CVE-2021-33909 in the filesystem layer of the Linux kernel. In addition, a second vulnerability CVE-2021-33910 has been discovered. Linux distributions such as Debian, Fedora and Ubuntu are vulnerable in default settings, allowing third parties to gain root privileges. However, there are patches to fix the vulnerability. Here is a rough overview of what is involved.


Vulnerabilities CVE-2021-33909 and CVE-2021-33910

The vulnerabilities was discovered by Qualsys security researchers, who disclosed CVE-2021-33909 and CVE-2021-33910 in the blog post Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909). The security researchers state that a vulnerability (CVE-2021-33909) exists in the size_t-to-intype conversion in the Linux kernel’s filesystem layer. This allows any unprivileged user to gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration. To do this, a local attacker, would have to drive around in the directory structure. To do this, it states:

by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string “//deleted” to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

However, exploiting this vulnerability, which probably occurred back in 2014, requires some assumptions and resources (The Register writes here that the Qualsys PoC exploit requires a whopping 5GB of RAM and a million inodes to even work. 

A second vulnerability CVE-2021-339010 exists in the basic/unit-name.c file in systemd. Provided versions prior to 246.15, 247.8, 248.5, and 249.1 are used, a memory allocation with an excessive size value (involving strdupa and alloca for a pathname controlled by a local attacker) causes the operating system to crash. A video of the exploitation of the vulnerabilities as well as technical details can be found in the linked blog post.

Who is affected?

The vulnerability affects most Linux operating systems using the Linux kernel 3.16 to 5.13.x (see also Debian Security Tracker and the Ubuntu security advisory). In the fs/seq_file.c file, kernel versions prior to 5.13.4 do not properly restrict seq buffer allocations (CVE-2021-33909). This leads to an integer overflow and an out-of-bounds write in the (exotic) situations outlined above. As a result, an unprivileged user could gain root access privileges.

Qualys security researchers were able to develop an exploit for the vulnerability that allowed full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and can likely be exploited.


Maintainers provide patches

Qualsys security researchers notified Linux distributor Red Hat on June 9, 2021 – and there were also various warnings on Linux mailing lists in July 2021. Maintainers of various Linux distributions have since started providing patches to fix these vulnerabilities. Some notes on patches and how to find out about the vulnerabilities can be found in the Qualsys blog Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909). Otherwise, the Linux distributor is the place to look for patches (see also Debian Security Tracker and the Ubuntu security advisory).

Cookies helps to fund this blog: Cookie settings

This entry was posted in Linux, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *