Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||More|
Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Sequoia Privilege escalation in Linux file system CVE-2021-33909 [EGI-SVG-CVE-2021-33909] Date: 2021-07-22 Updated: 2021-07-28, 2021-08-26, 2021-10-06 Affected software and risk ========================== **UPDATE 2021-08-26 - Qualys have announced that their exploit has been released therefore the risk for this vulnerability has been raised to CRITICAL** [R 10] CRITICAL risk vulnerability concerning the Linux kernel file system Package : Linux kernel CVE ID : CVE-2021-33909 A vulnerability has been reported which may allow unprivileged users to gain root access, via the crafting of a long path name in the file system. [R 1], [R 2], [R 3], [R 4]. [R 5] **UPDATE 2021-07-28 - updated kernel version now available for Scientific Linux [R 9] Actions required/recommended ============================ All running resources MUST be patched by 2021-09-03 00:00 UTC if they are not already. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Component installation information ================================== For information related to RedHat see [R 3] For information related to Debian see [R 6] For information related to Ubuntu see [R 7] Note for CentOS a fixed version of the kernel is in the repository, but has not been announced. **UPDATE 2021-07-27 ** For information related to Scientific Linux see [R 9] Mitigation ========== No mitigation for the vulnerability has been identified by RedHat. No mitigation has been proposed which does not seriously impact the usability for WLCG and related VOs. More information ================ See the Qualys Security Advisory [R 5] for further details. This can be exploited through unprivileged local users via a combination of unprivileged user namespaces and fusermount. TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-33909 Minor updates may be made without re-distribution to the sites Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8] Note that this is undergoing revision. References ========== [R 1] https://access.redhat.com/security/vulnerabilities/RHSB-2021-006 [R 2] https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909 [R 3] https://access.redhat.com/security/cve/cve-2021-33909 [R 4] https://nvd.nist.gov/vuln/detail/CVE-2021-33909 [R 5] https://www.openwall.com/lists/oss-security/2021/07/20/1 [R 6] https://security-tracker.debian.org/tracker/CVE-2021-33909 [R 7] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-33909 [R 8] https://documents.egi.eu/public/ShowDocument?docid=3145 [R 9] https://scientificlinux.org/category/sl-errata/ [R 10] https://twitter.com/qualys/status/1430606633437040644 Credit ====== SVG was alerted to this vulnerability by David Crooks and Dave Dykstra Timeline ======== Yyyy-mm-dd [EGI-SVG-2021-CVE-2021-33909] 2021-07-20 SVG alerted to this issue by David Crooks and Dave Dystra 2021-07-20 Acknowledgement from the EGI SVG to the reporter 2021-07-20 Investigation of vulnerability and relevance to EGI carried out 2021-07-21 EGI SVG Risk Assessment completed 2021-07-21 Updated packages available 2021-07-22 Advisory completed and sent to sites. 2021-07-28 Update as fixed version available in Scientific Linux. 2021-08-26 Update as exploit released raising the risk to 'CRITICAL' 2021-10-06 Placed on the EGI SVG wiki Context ======= This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. ----------------------------- This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. ------------------------------ Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure. On behalf of the EGI SVG,