Researchers have discovered a serious vulnerability buried deep in the Linux file system that could allow an unprivileged user to gain root privileges.
The bug (CVE-2021-33909) has been there since at least 2014 and it affects a wide range of Linux distributions, including Debian, Ubuntu, Fedora, and many others. The researchers at Qualys who discovered the flaw developed an exploit that worked against several of those distributions and disclosed the bug to the affected vendors. Engineers at Red Hat, which hosts the main Linux development mailing list, developed a patch for the flaw. The bug, which Qualys has named Sequoia, requires local access to the target machine for successful exploitation.
“We discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer,” the Qualys advisory says.
The Sequoia vulnerability is serious and its reach is broad, but the requirement for local system access mitigates the potential damage for enterprises. There is an upstream patch available for the bug now, but it’s not clear how many vendors have incorporated it yet.
“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable,” Bharat Jogi, a senior manager for vulnerabilities and signatures at Qualys, said in a post.
Red Hat Enterprise Linux 6, 7, and 8 are all affected by the vulnerability, as are any other Red Hat products supported on those vulnerable versions. The company said that it has not found any potential mitigations for this flaw and recommends that customers updated vulnerable packages as soon as they can.