OSG-SEC-2021-07-22 High risk vulnerability in Linux kernel file system
Dear OSG Security Contacts,
A new HIGH risk vulnerability [1] in the Linux kernel file system has been discovered which may allow unprivileged users to gain root access via the crafting of a long path name in the file system [2][3][4].
The OSG Security team considers this vulnerability to be of HIGH severity and are advising sites to patch their Linux kernel as soon as reasonably possible. There are currently no known mitigations for this vulnerability.
IMPACTED VERSIONS:
All Red Hat, CentOS, Debian and Ubuntu systems may be vulnerable.
For information on Red Hat systems see [3]
For information on Debian systems see [6]
For information on Ubuntu systems see [7]
For information on CentOS systems see [8]
WHAT IS THE VULNERABILITY:
An unprivileged local attacker can exploit this vulnerability by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. A successful attack results in privilege escalation. For more information see [1] [2].
WHAT YOU SHOULD DO:
At present, there is no effective mitigation and sites should update hosts to a fixed version of the kernel as soon as possible. At the time of this announcement fixed versions are already available for RHEL [3], Debian [6], and Ubuntu Systems [7]. Fixed CentOS versions have been announced and are currently syncing to mirrors [8].
Because the security team that discovered this vulnerability intends to publish their exploit in the near future [5], the risk associated with running an unpatched version will grow over time so it is recommended sites update their systems as soon as reasonably possible.
OSG will update this announcement with elevated severity if an effective exploit for gaining privileged access is published.
REFERENCES
[1] https://access.redhat.com/security/vulnerabilities/RHSB-2021-006
[2] https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
[3] https://access.redhat.com/security/cve/cve-2021-33909
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33909
[5] https://www.openwall.com/lists/oss-security/2021/07/20/1
[6] https://security-tracker.debian.org/tracker/CVE-2021-33909
[7] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-33909
[8] https://lists.centos.org/pipermail/centos-announce/2021-July/048344.html
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team