New Cyber Defense Brand DeepSeas to Unite Newly Acquired Commercial Managed Threat Services Business from Booz Allen Hamilton with Security On-Demand. Learn More

Schedule a demo

Threat Advisory: Linux File System Vulnerability

Peter Bybee

Peter Bybee

Linux File System Vulnerability

Event Summary

An Out-of-bounds Write flaw was found in the Linux kernel’s seq_file in the filesystem layer. This flaw was discovered by the Qualys Research Team (QRT). If exploited successfully, this vulnerability could lead to data corruption, system crashes and up to the execution of unauthorized code. This flaw allows unprivileged user to gain root privileges to the vulnerable host.  This flaw exists in default versions on most Linux distributions and has been labeled as “Sequoia.”

 Details

NIST – CVE-2021-33909

Due to improper restrictions of the seq buffer allocations and not validating the size_t-to-int conversion prior to performing operations,  this flaw allows for integer overflow, Out-of-bounds memory write, and escalation to root privileges by an unprivileged user, aka CID-8cae8cd89f05.

An attacker can take advantage of this vulnerability by creating, mounting and deleting a deep directory structure whose total path length exceeds 1gigabit. If the attacker then open()s and read()s /proc/self/mountinfo and combines several other maneuvers found here, then they are able to write to the out-of-bounds memory. 

Qualys was able to provide a proof of concept and were able to obtain full roof privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34.

Affected versions: Linux kernel 3.16 through 5.13.x before 5.13.4

 Recommendations

Due to proper escalation of this vulnerability, patches have been released for this flaw.  Security On-Demand recommends immediately patching of all Linux Kernel versions listed above and all Linux distributions.

If a kernel upgrade is not possible at this time, the following mitigation can be applied:

  • Setting /proc/sys/kernel/unprivileged_userns_clone to 0
  • Setting /proc/sys/kernel/unprivileged_bpf_disabled to 1.

This prevents an attacker from mounting a long directory in a user namespace and prevents the loading of an eBPF program into the kernel.

The mitigation does not guarantee prevention of other means of exploitation.

The only guaranteed fix is to upgrade all Linux versions and kernels.

 SOD Actions

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates.  If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.  

Additional Resources

NIST – CVE-2021-33909

Mitre – CVE-2021-33909

Qualys – Sequoia Disclosure and Technical Details

Ubuntu – Sequoia Details and Security Updates

Red Hat – Sequoia Details and Security Updates

RECOMMENDED POSTS

70% of threats today cannot be detected using static cyber security tools. Security On-Demand’s ThreatWatch® platform can detect the advanced threats that most providers miss. 

Detect Early. Respond Early.

sales@securityondemand.com

SERVICES

ABOUT

SIGN-UP FOR FREE THREAT FLASH ALERTS

FOLLOW US

Twitter-square Linkedin Facebook Youtube

© 2014-2022 Security On-Demand. All Right Reserved