Recently, security researchers discovered a size_t-to-int type conversion vulnerability in the Linux kernel file system, and believe that all Linux kernel versions since 2014 may be affected. The vulnerability was named Sequoia (number CVE-2021-33909), and it is a privilege escalation vulnerability that allows low-privileged users to gain root privileges.
Principle of Sequoia vulnerability
The Linux kernel file system interface is a hierarchical architecture, including user interface layer, file system implementation, and storage device drivers. It is the most important function of the operating system and is extremely common in most Linux operating systems.
The seq_file interface of the Linux kernel generates a virtual file containing a sequence of records, and each record must fit in the seq_file buffer. When the space is exhausted, it only needs to double its volume to expand the space. However, what happens if the size_t variable is passed to a function whose size parameter is a 32-bit integer instead of size_t? This is exactly the attack principle of the Sequoia vulnerability.
Security researchers from Qualys said: By creating, mounting, and deleting a deep directory structure with a total path length of more than 1GB, and opening()s and read()s /proc/self/mountinfo, unprivileged local attackers can Through a series of other operations to achieve memory out-of-bounds write. Attackers can use this to destroy data, crash the system, or even execute unauthorized code.
Qualys researchers successfully exploited the vulnerability and obtained full root privileges under the default installation settings of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 workstations. Other Linux distributions may also have this vulnerability and be exploited.
solution
The Qualys team discovered the vulnerability in early June, and Red Hat has released a patch. On July 20th, Linux kernel maintainer Greg Kroah-Hartman released a kernel patch for Sequoia version 5.13.4 of the Linux kernel.
If the kernel cannot be upgraded, users can still alleviate the problem by setting /proc/sys/kernel/unprivileged_userns_clone to 0, which prevents attackers from mounting long directories in the user namespace. However, an attacker can still mount long directories through the user space file system (FUSE). When the long directory exceeds 8MB, systemd will exhaust its stack and crash, causing the entire operating system to crash.
Users can also set /proc/sys/kernel/unprivileged_bpf_disabled to 1 to prevent attackers from loading eBPF programs into the kernel.
However, the above mitigation measures only prevent Qualys' specific vulnerability exploitation methods, and there may be other attack methods. To completely fix the vulnerability, the kernel must be patched.
Reference link:
- https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
- https://www.zdnet.com/article/patch-now-linux-file-system-security-hole-dubbed-sequoia-can-take-over-systems/#ftag=RSSbaffb68
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.4
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。