Linux Sequoia Kernel LPE Vulnerability: Dataprise Defense Digest

Executive Summary

In an advisory released by Redhat (informed by researchers at Qualys) on July 20, 2021 via their website, a vulnerability in the Linux kernel file system that allows attackers to gain root privileges has been disclosed. This vulnerability is a Local Privilege Escalation (LPE) vulnerability. This exploit has been named Sequoia and is being tracked as CVE-2021-33909. Though this vulnerability can only be exploited locally, Dataprise still considers this a HIGH severity incident because an attacker can gain root privileges on a vulnerable host. All Linux kernel versions from 2014 (Linux 3.16) onwards are vulnerable.

Detailed Analysis

In this local privilege escalation vulnerability, CVE-2021-33909, fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. This vulnerability allows an attack against the Linux kernel. An unprivileged local attacker can exploit this vulnerability by creating, mounting and deleting a deep directory structure whose total path length exceeds 1GB, A successful attack results in privilege escalation. This vulnerability affects a wide range of Linux distributions, including RedHat, Debian, Ubuntu and many other. Redhat has developed a patch for this vulnerability. It is advised to apply the patches/upgrade the Linux packages for this vulnerability. 

Ars Technica provides the following summary of how the exploit works:

1. We mkdir() a deep directory structure (roughly 1M nested directories) whose total path length exceeds 1GB, we bind-mount it in an unprivileged user namespace, and rmdir() it.
2. We create a thread that vmalloc()ates a small eBPF program (via BPF_PROG_LOAD), and we block this thread (via userfaultfd or FUSE) after our eBPF program has been validated by the kernel eBPF verifier but before it is JIT-compiled by the kernel.
3. We open() /proc/self/mountinfo in our unprivileged user namespace and start read()ing the long path of our bind-mounted directory, thereby writing the string “//deleted” to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated buffer.
4. We arrange for this “//deleted” string to overwrite an instruction of our validated eBPF program (and therefore nullify the security checks of the kernel eBPF verifier) and transform this uncontrolled out-of-bounds write into an information disclosure and into a limited but controlled out-of-bounds write.
5. We transform this limited out-of-bounds write into an arbitrary read and write of kernel memory by reusing Manfred Paul’s beautiful btf and map_push_elem techniques from: https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification

Mitigation

1. Upgrade the Linux packages/apply the patches for this vulnerability

Sources

• https://access.redhat.com/security/cve/cve-2021-33909
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909
• https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification
• https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909

<p< p=””>

Contributing Authors

• Stephen Jones, Senior Director Cybersecurity
• Ayyappa Vyamasani, Security Analyst

</p<>