ISN 2021-05: IGEL OS Denial of Service

Announced 23 July 2021

Updated 23 September 2021 (IGEL OS 11.06.100 is now available)

CVSS 3.1 Score: 8.8 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

A local denial of service vulnerability affects the following IGEL products:

• IGEL OS 11

• IGEL OS 10

Details

A research team from Qualys has discovered a vulnerability in systemd (CVE-2021-33910). An unprivileged local user can exploit it to crash systemd and the whole operating system (kernel panic).

Update Instructions

• IGEL OS 11: Upgrade to IGEL OS 11.06.100

• IGEL OS 10: Upgrade to IGEL OS 11

Mitigation

• Disable terminal access for the user, see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Disabling Access to Components > (11.09.310-en) Disabling Local Terminal Access.

• Disable virtual console access, see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Disabling Access to Components > (11.09.310-en) Disabling Virtual Console Access.

• As the attack relies on mounting user-controlled filesystems, disable mounting of filesystems by the user:

  • Disable storage hotplug (disabled by default), see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Minimizing the Attack Surface > (11.09.310-en) Disabling Storage Hotplug.

  • Remove the Mobile Device Access USB feature (removed by default), see IGEL OS > Versions of IGEL OS > (11.09.310-en) IGEL OS > (11.09.310-en) IGEL OS Articles > (11.09.310-en) Security > (11.09.310-en) Security IGEL OS Endpoints > (11.09.310-en) Minimizing the Attack Surface > (11.09.310-en) Removing Unused Features.

References

• Qualys, “CVE-2021-33910: Denial of Service (Stack Exhaustion) in systemd (PID 1))”: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1

• CVE-2021-33910: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33910