Overview
A new file system vulnerability dubbed as Sequoia (CVE-2021-33909) allows attackers to gain root privileges on most Linux distributions with their default configuration.
Description
Researchers from the cyber security company Qualys discovered a new local privilege escalation vulnerability that affect most Linux distributions such as Ubuntu, Debian and Fedora. Dubbed as Sequoia (CVE-2021-33909), the new vulnerability allows attackers to gain root privileges due to a vulnerability that exist in the Linux kernel’s file system.
Specifically the discovered bug is an integer overflow type vulnerability (A type of Buffer Overflow that allows out-of-bounds writes) that arise from a variable type conversion issue (size-t to int). For the exploitation of the Sequoia vulnerability, an unprivileged attacker can create, mount and delete a deep directory structure whose path length exceeds 1GB and then read the /proc/self/mountinfo file, as described at the Qualys Security Advisory on CVE-2021-33909.
To learn more about the vulnerability and its exploitation steps, you could either refer to the blog post (Qualys Security Blog on CVE-2021-33909) or check the below video shared by the Qualys.
Impact
An unprivileged local attacker can obtain root privileges by exploiting the integer overflow vulnerability (CVE-2021-33909) that exist in the Linux kernel’s file system.
Impact Summary
Category: Elevation of Privilege (Root User)
CVSS 3.1 Base Score: 7.8 High
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Solution
To remediate the Sequoia Linux privilege escalation vulnerability (CVE-2021-33909), Linux kernels needs to be patched/upgraded to the most recent releases.
Though not tested against all possible exploit variations of the the Sequoia vulnerability, the following mitigations could be applied to change the vulnerable default configurations (As illustrated in Figure 1) to protect against the PoC developed by Qualys:
- Set
/proc/sys/kernel/unprivileged_userns_cloneto0. - Set
/proc/sys/kernel/unprivileged_bpf_disabledto1.
/proc/sys/kernel Directory
If debugging is the process of removing software bugs, then programming must be the process of putting them in.
Edsger Dijkstra
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- https://nvd.nist.gov/ (CVE-2021-33909)
- Qualys Security Blog on CVE-2021-33909
- Qualys Security Advisory on CVE-2021-33909
References to Other Linux Vulnerabilities
- Linux Privilege Escalation Vulnerability (CVE-2021-3560)
- Linux Sudo Vulnerability (CVE-2021-3156)
- Linux Sudo Vulnerability (CVE-2019-14287)
- Linux Sudo Vulnerability (CVE-2019-18634)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
To learn more on Linux, you could also read our article Basic Linux Commands for Beginners or visit Linux Resources Page.
