Announced 23 July 2021
Updated 23 September 2021 (IGEL OS 11.06.100 is now available)
CVSS 3.1 Score: 7.8 (High)
A local privilege escalation vulnerability affects the following IGEL products:
- IGEL OS 11
- IGEL OS 10
A research team from Qualys has discovered a vulnerability in the Linux kernel’s filesystem layer (CVE-2021-33909). An unprivileged local user can use it to gain root privileges.
- IGEL OS 11: Upgrade to IGEL OS 11.06.100
- IGEL OS 10: Upgrade to IGEL OS 11
- Disable terminal access for the user, see Disabling Local Terminal Access.
- Disable virtual console access, see Disabling Virtual Console Access.
- As the attack relies on mounting user-controlled filesystems, disable mounting of filesystems by the user:
- Qualys has published mitigations for the specific exploit that their researchers used (other exploitation techniques may exist): https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
- Qualys, “Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)”: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
- CVE-2021-33909: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909