CVE-2021-33909 was disclosed on the 20th of July. It describes a vulnerability in the Linux filesystem layer that can lead to local privilege elevation when successfully exploited. The vulnerable code was apparently introduced in a commit dating from July 2014 (Linux 3.16). Every distribution running this or any subsequent version is vulnerable to this problem, with Proof-of-Concept code for several common distributions already created.
TuxCare’s KernelCare is finalising patches for all supported and affected distributions, and subscribers will start to receive these very soon.
[UPDATE] Patches are now being delivered for the following Linux distributions:
- CloudLinux 6h and 7
- OEL 6, 7 and 8
- RHEL 6, 7 and 8
- CentOS 6, 6-plus, 7 and 8
- AlmaLinux 8
- Ubuntu Bionic, Focal and Xenial
- SL 6
[UPDATE #2] The following distributions also have patches being delivered now:
- CloudLinux 8
- Debian 8, 9
- OEL6-uek4, OEL7-uek4, OEL7-uek5, OEL7-uek6, OEL8-uek6
[UPDATE #3] The following distributions are now also being delivered:
- Debian 10, Debian 10-cloud
Let’s dive deeper into this vulnerability to understand how it represents an exploitable path to root for basically any distribution.
From an attacker standpoint, this is exploitable by creating a (very) deep directory structure, then mounting and deleting it. Doing these actions makes it possible to write a specific value inside of a kernel buffer that is otherwise inaccessible to regular users.
So, at this point, the attack only has a memory corruption effect. To turn this into an elevation of privileges, the attacker would need to load a seemingly innocent and specially crafted piece of code. For example, a BPF filter (an especially active location where vulnerabilities are found) could pass all the normal checks done by the Kernel but be crafted in such a way that, when the memory corruption happens, it would slightly change the BPF filter code. This would allow it to call specific Kernel functions, not normally accessible to a regular users’ code.
While the attack method is convoluted, successful PoC code is already available, providing a turnkey exploit for this vulnerability. You can see the exploit PoC in action here. It is expected that such code, or some variation thereof, will reach commonly available exploit frameworks in the coming days or weeks, making this a trivially accessible path to achieve root in a vulnerable system.
In the Kernel, the code that leads to this behaviour can be traced to a specific unsigned 64-bit integer variable that gets transformed, through a specific code path, into a 32-bit integer. A value that could fit the original 64-bit variable will then cause an overflow in the smaller sized variable, which will trigger the problem.
According to the CVE report, the flaw was introduced by commit 058504ed (“fs/seq_file: fallback to vmalloc allocation”) in July 2014 and has been present in all kernel versions since 3.16. Distributions like Ubuntu 20.04, 20.10 and 21.04, as well as Debian 11 and Fedora 34, have already been shown to be vulnerable, and it’s expected that all other distributions running any kernel version from the past 7 years will also be susceptible to this vulnerability.