Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Sequoia Privilege
escalation in Linux file system CVE-2021-33909
[EGI-SVG-CVE-2021-33909]
Date: 2021-07-22
Updated: 2021-07-28, 2021-08-26, 2021-10-06
Affected software and risk
==========================
**UPDATE 2021-08-26 - Qualys have announced that their exploit has been
released therefore the risk for this vulnerability has been raised to
CRITICAL** [R 10]
CRITICAL risk vulnerability concerning the Linux kernel file system
Package : Linux kernel
CVE ID : CVE-2021-33909
A vulnerability has been reported which may allow unprivileged users to gain
root access, via the crafting of a long path name in the file system. [R 1],
[R 2], [R 3], [R 4]. [R 5]
**UPDATE 2021-07-28 - updated kernel version now available for Scientific Linux
[R 9]
Actions required/recommended
============================
All running resources MUST be patched by 2021-09-03 00:00 UTC if they are not
already.
Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.
Component installation information
==================================
For information related to RedHat see [R 3]
For information related to Debian see [R 6]
For information related to Ubuntu see [R 7]
Note for CentOS a fixed version of the kernel is in the repository, but has not
been announced.
**UPDATE 2021-07-27 **
For information related to Scientific Linux see [R 9]
Mitigation
==========
No mitigation for the vulnerability has been identified by RedHat.
No mitigation has been proposed which does not seriously impact the usability
for WLCG and related VOs.
More information
================
See the Qualys Security Advisory [R 5] for further details.
This can be exploited through unprivileged local users via a combination of
unprivileged user namespaces and fusermount.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2021-33909
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 8]
Note that this is undergoing revision.
References
==========
[R 1] https://access.redhat.com/security/vulnerabilities/RHSB-2021-006
[R 2] https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
[R 3] https://access.redhat.com/security/cve/cve-2021-33909
[R 4] https://nvd.nist.gov/vuln/detail/CVE-2021-33909
[R 5] https://www.openwall.com/lists/oss-security/2021/07/20/1
[R 6] https://security-tracker.debian.org/tracker/CVE-2021-33909
[R 7] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-33909
[R 8] https://documents.egi.eu/public/ShowDocument?docid=3145
[R 9] https://scientificlinux.org/category/sl-errata/
[R 10] https://twitter.com/qualys/status/1430606633437040644
Credit
======
SVG was alerted to this vulnerability by David Crooks and Dave Dykstra
Timeline
========
Yyyy-mm-dd [EGI-SVG-2021-CVE-2021-33909]
2021-07-20 SVG alerted to this issue by David Crooks and Dave Dystra
2021-07-20 Acknowledgement from the EGI SVG to the reporter
2021-07-20 Investigation of vulnerability and relevance to EGI carried out
2021-07-21 EGI SVG Risk Assessment completed
2021-07-21 Updated packages available
2021-07-22 Advisory completed and sent to sites.
2021-07-28 Update as fixed version available in Scientific Linux.
2021-08-26 Update as exploit released raising the risk to 'CRITICAL'
2021-10-06 Placed on the EGI SVG wiki
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 8] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/
Software Vulnerability Group must be credited.
------------------------------
Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure.
On behalf of the EGI SVG,