Security auditing firm Qualys has discovered a local privilege escalation (LPE) vulnerability in Linux’s filesystem layer that can allow attackers root access on most modern distros, such as Ubuntu, Debian, and Fedora.
Dubbed as Sequoia and tracked CVE-2021-33909, this size_t-to-int type conversion vulnerability in the Linux Kernel’s Filesystem layer grants any unprivileged user gains root privileges on vulnerable devices by exploiting this vulnerability in a default configuration.
The most important function of a Linux Filesystem is to manage user data. It is also the most important function of any operating system and is ubiquitous on all major Linux operating systems.
According to Qualys security researchers, if an unprivileged local attacker creates, mounts, and deletes a deep directory structure whose total path length exceeds 1GB, the Sequoia bug (an out-of-bounds read) occurs in the Linux OS filesystem component, allowing any low-privileged local account to run code with root privileges.
“Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable,” Bharat Jogi, Sr. Manager, Vulnerabilities and Signatures, Qualys wrote in a blog post.
The security researchers also added that all Linux kernel versions from 2014 (Linux 3.16) onwards are vulnerable.
Below is the Proof of Concept (PoC) video that demonstrates how potential attackers could successfully exploit the vulnerability:
As soon as the Qualys research team confirmed the bug, they notified the Linux kernel team in early June.
Qualys recommends users to apply patches released by several Linux distros on Tuesday to address this issue. Qualys customers can search the vulnerability knowledgebase for CVE-2021-33909 to identify all the QIDs and assets vulnerable for this vulnerability.
If you are not a customer, start your free Qualys VMDR trial to get full access to the QIDs (detections) for CVE-2021-33909, so you can identify your vulnerable assets.
Additionally, Qualys on Tuesday also disclosed a Denial of service (stack exhaustion) vulnerability tracked as CVE-2021-33910, a closely related systemd vulnerability that can be exploited by unprivileged attackers to trigger a kernel panic.
“The second vulnerability (CVE-2021-33910) is an attack against systemd (the system and service manager) and requires a local attacker with the ability to mount a filesystem with a long path. This attack causes systemd, the services it manages, and the entire system to crash and stop responding.”