A vulnerability was discovered in the Linux kernel, which made it possible for some low-privileged accounts to gain root privileges on some popular distributions, including Ubuntu, Debian and Fedora. The vulnerability is named Sequoia, and it exists at the file system layer.
This security issue is believed to affect all versions of the Linux kernel released since 2014, which means that a large number of distributions have vulnerabilities. Specifically, the vulnerability is a type conversion vulnerability from size_t to int, which can be exploited to elevate permissions.
A security researcher from Qualys wrote: We found a vulnerability in the file system layer of the Linux kernel to convert size tint: by creating, mounting, and deleting a deep directory structure with a total path length of more than 1GB, there is no privileged A local attacker can write the 10-byte string //deleted to an offset -2GB-10B just below the beginning of the vmalloc()ated kernel buffer.
Researchers have successfully used this uncontrolled out-of-bounds writing to achieve full root permissions on the default installation of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 workstations; other Linux distributions of course also have them. Vulnerabilities, and may be exploited. The use of this vulnerability to complete the privilege escalation requires approximately 5GB of memory.
Qualys has released a proof-of-concept program, which can be found here:
The security researchers provided the details of a solution but pointed out that they only prevented the exploitation of our specific vulnerabilities (but there may be other exploitation techniques). Set /proc/sys/kernel/unprivileged_userns_clone to 0 to prevent attackers from mounting a long directory in the user namespace.
However, an attacker may mount a long directory through FUSE; this may be futile because the CVE-2021-33910 vulnerability of system has not been fixed: if an attacker mounts a long directory (over 8MB) through FUSE, then the system will exhaust its stack, crash, and crash the entire operating system.
Set /proc/sys/kernel/unprivileged_bpf_disabled to 1 to prevent attackers from loading eBPF programs into the kernel. However, an attacker may destroy other vmalloc()ated objects (for example, thread stacks). Qualys said that in order to completely fix this vulnerability, the kernel must be patched, which also requires the kernel team to confirm, fix and disclose the new version.