Patch now: Linux file system security hole, dubbed Sequoia, can take over systems | ZDNet en

0

By

Steven J. Vaughan-Nichols

| July 21, 2021 — 20:00 GMT (21:00 BST)

| Topic: Security

Some days, it doesn’t rain, it pours. That’s the case with Linux today. Not one, but two serious security holes have recently been exposed. First, there was a systemd bug which could easily knock out systems. Now there’s this security hole in the Linux kernel’s file system, which any user could use to take over a computer. Like I said, some days it just pours.

The best Linux Foundation classes

Want a good tech job? Then you need to know Linux and open-source software. One of the best ways to pick them up is via a Linux Foundation course.

Read More

The Qualys Research Team, which uncovered the file system bug, also discovered a size_t-to-int type conversion vulnerability in the Linux kernel’s filesystem. This Linux security hole has been named Sequoia and it’s been designated CVE-2021-33909.

Doesn’t sound like much, does it? Au contraire! It can be used against most Linux distributions in their default configurations. And, worse still, any — I repeat, any — unprivileged user can abuse it to gain root privileges.

Here’s how it works. We all use filesystems every day, but you probably don’t think about how it works. Who, except for developers, does? In Linux’s case, the file system interface is implemented in a three-layered architecture. There’s the user interface layer; the file system implementation; and the storage device drivers. 

Within the Linux kernel’s seq_file interface produces virtual files containing sequences of records. Each record must fit into a seq_file buffer. When it runs out of space, it’s just enlarged by doubling its size. That’s not a problem. You’ll run out of memory long before you can hack the system with this. The problem shows up because this size_t variable is also passed to functions whose size argument is a signed 32-bit integer, not a size_t. And that, my friend, while a very large number, can be overrun. 

Then, as Bharat Jogi, Qualys’ Senior Manager of Vulnerabilities and Signatures, explains, « If an unprivileged local attacker creates, mounts, and deletes a deep directory structure whose total path length exceeds 1GB, and if the attacker open()s and read()s /proc/self/mountinfo, then » through a series of other maneuvers you can write to out of bounds memory. 

And, with that, you can corrupt data, crash the system, or, worst of all, execute unauthorized code. Alas, there are numerous known hacks that use memory overruns to become the root user and grab control of a computer. 

In fact, that’s exactly what Qualys security team did. They developed an exploit, which they then used to obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34. OK, let’s just admit it. Pretty much any Linux distro is vulnerable to this trick.

The good news is that while this problem is alive and nasty in any system running the Linux kernel 3.16 through 5.13.x before 5.13.4, patches are available. In fact, I patched my Linux Mint desktop for it, before I even started to write this story. Yes, it’s that bad. 

Eric Sandeen, Red Hat’s top file system developer, came up with a fix for the problem. 

Greg Kroah-Hartman, the Linux kernel maintainer for the Linux stable branch, subsequently released the kernel patch for Sequoia on July 20th in the Linux kernel 5.13.4 release.

If you can’t upgrade your kernel, you can still mitigate the problem by setting /proc/sys/kernel/unprivileged_userns_clone to 0. This prevents an attacker from mounting a long directory in a user namespace. However, the attacker may still be able to mount a poisonously long directory via Filesystem in Userspace (FUSE). You should also set /proc/sys/kernel/unprivileged_bpf_disabled to 1. This prevents an attacker from loading an eBPF program into the kernel. However, there may be other ways to attack. The only sure way to stop this security hole in its track is to update your kernel. 

This fix is also available in most Linux distributions now. So, if you’ve been sitting on your hands and not updating your Linux computers, it’s time to get off them and start typing in patching commands.

By

Steven J. Vaughan-Nichols

| July 21, 2021 — 20:00 GMT (21:00 BST)

| Topic: Security

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to the ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.

You agree to receive updates, alerts, and promotions from the CBS family of companies – including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time.

By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.

The ban was made after China’s internet regulator found soft pornographic images of children appearing on various digital platforms.

Joseph O’Connor is accused of taking over the Twitter accounts of Barack Obama, Joe Biden and 128 others in July 2020.

Update: A spokesperson for the Tokyo Games said that after an investigation they confirmed that this was not a leak from Tokyo 2020’s system.

The constituent communication platform was hit with a ransomware attack in May and waited nearly a week to notify government officials.

© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED.
Privacy Policy |
Cookie Settings |
Advertise |
Terms of Use

Related title:
Patch now: Linux file system security hole, dubbed Sequoia, can take over systems
A New Linux Kernel Bug Grants Root Access On Most Modern Distros
Two Linux vulnerabilities give exploiters root privileges
Patch Now: A security hole in the Linux filesystem called Sequoia can take over the system
Sequoia: Linux kernel security flaw gives unprivileged users root access
Linux systemd bug allows denial of service attacks
Researchers flag 7-years-old privilege escalation flaw in Linux kernel (CVE-2021-33909) – Help Net Security
New Linux kernel bug lets you get root on most modern distros

en

Keywords:

Linux kernel,File system,Vulnerability,Privilege escalation,Computer security,Linux kernel, File system, Vulnerability, Privilege escalation, Computer security,,

QU’EN PENSEZ-VOUS?

[comment]

PUB

Laisser un commentaire, votre avis compte!

[gs-fb-comments] [comment-form]