Linux File System Vulnerability
An Out-of-bounds Write flaw was found in the Linux kernel’s seq_file in the filesystem layer. This flaw was discovered by the Qualys Research Team (QRT). If exploited successfully, this vulnerability could lead to data corruption, system crashes and up to the execution of unauthorized code. This flaw allows unprivileged user to gain root privileges to the vulnerable host. This flaw exists in default versions on most Linux distributions and has been labeled as “Sequoia.”
Due to improper restrictions of the seq buffer allocations and not validating the size_t-to-int conversion prior to performing operations, this flaw allows for integer overflow, Out-of-bounds memory write, and escalation to root privileges by an unprivileged user, aka CID-8cae8cd89f05.
An attacker can take advantage of this vulnerability by creating, mounting and deleting a deep directory structure whose total path length exceeds 1gigabit. If the attacker then open()s and read()s /proc/self/mountinfo and combines several other maneuvers found here, then they are able to write to the out-of-bounds memory.
Qualys was able to provide a proof of concept and were able to obtain full roof privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34.
Affected versions: Linux kernel 3.16 through 5.13.x before 5.13.4
Due to proper escalation of this vulnerability, patches have been released for this flaw. Security On-Demand recommends immediately patching of all Linux Kernel versions listed above and all Linux distributions.
If a kernel upgrade is not possible at this time, the following mitigation can be applied:
- Setting /proc/sys/kernel/unprivileged_userns_clone to 0
- Setting /proc/sys/kernel/unprivileged_bpf_disabled to 1.
This prevents an attacker from mounting a long directory in a user namespace and prevents the loading of an eBPF program into the kernel.
The mitigation does not guarantee prevention of other means of exploitation.
The only guaranteed fix is to upgrade all Linux versions and kernels.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.