ISN 2021-04: IGEL OS Kernel Privilege Escalation

Announced 23 July 2021

Updated 23 September 2021 (IGEL OS 11.06.100 is now available)

CVSS 3.1 Score: 7.8 (High)

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

A local privilege escalation vulnerability affects the following IGEL products:

• IGEL OS 11

• IGEL OS 10

Details

A research team from Qualys has discovered a vulnerability in the Linux kernel’s filesystem layer (CVE-2021-33909). An unprivileged local user can use it to gain root privileges.

Update Instructions

• IGEL OS 11: Upgrade to IGEL OS 11.06.100

• IGEL OS 10: Upgrade to IGEL OS 11

Mitigation

• Disable terminal access for the user, see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Disabling Access to Components > (11.09.310-en) Disabling Local Terminal Access.

• Disable virtual console access, see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Disabling Access to Components > (11.09.310-en) Disabling Virtual Console Access

• As the attack relies on mounting user-controlled filesystems, disable mounting of filesystems by the user:

  • Disable storage hotplug (disabled by default), see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Minimizing the Attack Surface > (11.09.310-en) Disabling Storage Hotplug.

  • Remove the Mobile Device Access USB feature (removed by default), see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Minimizing Attack Surface > (11.09.310-en) Removing Unused Features.

• Qualys has published mitigations for the specific exploit that their researchers used (other exploitation techniques may exist): https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909

References

• Qualys, “Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)”: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909

• CVE-2021-33909: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909