Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-CVE-2021-33909

From EGIWiki
Revision as of 12:44, 6 October 2021 by Cornwall (talk | contribs) (Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Sequoia Privilege escalation in Linux file system CVE-2021-33909 [EGI-SVG-CVE-...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2021-33909



Title:       EGI SVG 'ADVISORY'  [TLP:WHITE] CRITICAL risk Sequoia Privilege escalation in 
              Linux file system CVE-2021-33909 [EGI-SVG-CVE-2021-33909]

Date:        2021-07-22
Updated:     2021-07-28, 2021-08-26, 2021-10-06

Affected software and risk
==========================

**UPDATE 2021-08-26 - Qualys have announced that their exploit has been released therefore the risk 
for this vulnerability has been raised to CRITICAL** [R 10] 

CRITICAL risk vulnerability concerning the Linux kernel file system

Package : Linux kernel
CVE ID  : CVE-2021-33909

A vulnerability has been reported which may allow unprivileged users to gain root access, 
via the crafting of a long path name in the file system.  [R 1], [R 2], [R 3], [R 4]. [R 5]

**UPDATE 2021-07-28 - updated kernel version now available for Scientific Linux [R 9]

Actions required/recommended
============================

All running resources MUST be patched by 2021-09-03  00:00 UTC if they are not already. 

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. 


Component installation information
==================================

For information related to RedHat see [R 3]

For information related to Debian see [R 6]

For information related to Ubuntu see [R 7] 

Note for CentOS a fixed version of the kernel is in the repository, but has not been announced.

**UPDATE 2021-07-27 **

For information related to Scientific Linux see [R 9]


Mitigation
==========

No mitigation for the vulnerability has been identified by RedHat.

No mitigation has been proposed which does not seriously impact the usability for WLCG and related VOs.

More information
================

See the Qualys Security Advisory [R 5] for further details.

This can be exploited through unprivileged local users via a combination of unprivileged user namespaces and fusermount.

TLP and URL
===========

** WHITE information - Unlimited distribution
  - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-33909

Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8]

Note that this is undergoing revision.


References
==========

[R 1] https://access.redhat.com/security/vulnerabilities/RHSB-2021-006

[R 2] https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909

[R 3] https://access.redhat.com/security/cve/cve-2021-33909

[R 4] https://nvd.nist.gov/vuln/detail/CVE-2021-33909

[R 5] https://www.openwall.com/lists/oss-security/2021/07/20/1

[R 6] https://security-tracker.debian.org/tracker/CVE-2021-33909

[R 7] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-33909

[R 8] https://documents.egi.eu/public/ShowDocument?docid=3145

[R 9] https://scientificlinux.org/category/sl-errata/

[R 10] https://twitter.com/qualys/status/1430606633437040644

Credit
======

SVG was alerted to this vulnerability by David Crooks and Dave Dykstra

Timeline
========
Yyyy-mm-dd  [EGI-SVG-2021-CVE-2021-33909]

2021-07-20 SVG alerted to this issue by David Crooks and Dave Dystra
2021-07-20 Acknowledgement from the EGI SVG to the reporter
2021-07-20 Investigation of vulnerability and relevance to EGI carried out 
2021-07-21 EGI SVG Risk Assessment completed
2021-07-21 Updated packages available
2021-07-22 Advisory completed and sent to sites. 
2021-07-28 Update as fixed version available in Scientific Linux.
2021-08-26 Update as exploit released raising the risk to 'CRITICAL'
2021-10-06 Placed on the EGI SVG wiki

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8]  
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, 
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending 
on how the software is used.

-----------------------------
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and 
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
------------------------------

Note that the SVG issue handling procedure is currently under review, to take account of the increasing 
inhomogeneity of the EGI infrastructure.

On behalf of the EGI SVG,
Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-33909&oldid=113382"