The Dataprise Blog

Linux Sequoia Kernel LPE Vulnerability: Dataprise Defense Digest

Jul 22, 2021 BY DATAPRISE

Linux Sequoia Kernel LPE Vulnerability: Dataprise Defense Digest

EXECUTIVE SUMMARY

In an advisory released by Redhat (informed by researchers at Qualys) on July 20, 2021 via their website, a vulnerability in the Linux kernel file system that allows attackers to gain root privileges has been disclosed. This vulnerability is a Local Privilege Escalation (LPE) vulnerability. This exploit has been named Sequoia and is being tracked as CVE-2021-33909. Though this vulnerability can only be exploited locally, Dataprise still considers this a HIGH severity incident because an attacker can gain root privileges on a vulnerable host. All Linux kernel versions from 2014 (Linux 3.16) onwards are vulnerable.

DETAILED ANALYSIS

In this local privilege escalation vulnerability, CVE-2021-33909, fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. This vulnerability allows an attack against the Linux kernel. An unprivileged local attacker can exploit this vulnerability by creating, mounting and deleting a deep directory structure whose total path length exceeds 1GB, A successful attack results in privilege escalation. This vulnerability affects a wide range of Linux distributions, including RedHat, Debian, Ubuntu and many other. Redhat has developed a patch for this vulnerability. It is advised to apply the patches/upgrade the Linux packages for this vulnerability. 

Ars Technica provides the following summary of how the exploit works:

  1. We mkdir() a deep directory structure (roughly 1M nested directories) whose total path length exceeds 1GB, we bind-mount it in an unprivileged user namespace, and rmdir() it.

  2. We create a thread that vmalloc()ates a small eBPF program (via BPF_PROG_LOAD), and we block this thread (via userfaultfd or FUSE) after our eBPF program has been validated by the kernel eBPF verifier but before it is JIT-compiled by the kernel.

  3. We open() /proc/self/mountinfo in our unprivileged user namespace and start read()ing the long path of our bind-mounted directory, thereby writing the string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated buffer.

  4. We arrange for this "//deleted" string to overwrite an instruction of our validated eBPF program (and therefore nullify the security checks of the kernel eBPF verifier) and transform this uncontrolled out-of-bounds write into an information disclosure and into a limited but controlled out-of-bounds write.

  5. We transform this limited out-of-bounds write into an arbitrary read and write of kernel memory by reusing Manfred Paul's beautiful btf and map_push_elem techniques from: https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification

MITIGATION

  1. Upgrade the Linux packages/apply the patches for this vulnerability

SOURCES

CONTRIBUTING AUTHORS

  • Stephen Jones, Senior Director Cybersecurity
  • Ayyappa Vyamasani, Security Analyst
Information Security
Want the latest IT insights? SUBSCRIBE