CVE-2021-3847 in Linuxinfo

Summary

by MITRE • 04/02/2022

An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/05/2022

The vulnerability identified as CVE-2021-3847 represents a critical privilege escalation flaw within the Linux kernel's OverlayFS subsystem that stems from improper handling of setuid files with capabilities during file operations. This issue specifically manifests when a user copies a file with capabilities from a filesystem mounted with the nosuid option to another filesystem that allows setuid operations. The flaw resides in the kernel's overlay filesystem implementation where the system fails to properly validate or enforce the security restrictions associated with capability-bearing setuid files during cross-mount file operations. This vulnerability directly violates fundamental security principles by allowing unauthorized privilege escalation through what should be a controlled file transfer operation.

The technical mechanism behind this vulnerability involves the OverlayFS subsystem's failure to properly sanitize file capabilities when files are copied between different mount points with varying security attributes. When a file with setuid bits and specific capabilities is copied from a nosuid mount to a regular mount, the kernel's overlay implementation does not correctly strip or validate the capabilities associated with the setuid binary. This oversight creates a scenario where the copied file retains its elevated privileges and capabilities, allowing a local attacker to execute these privileged operations without proper authorization. The flaw operates at the kernel level and specifically affects the overlay filesystem's file copying logic, which is designed to merge multiple filesystems into a single hierarchical view.

From an operational impact perspective, this vulnerability enables local attackers to escalate their privileges from standard user level to root access without requiring any special authentication or external exploitation vectors. The attack requires only that the user have access to a nosuid mounted filesystem and the ability to perform file operations between different mount points. This makes the vulnerability particularly dangerous in multi-user environments where users might have access to various filesystem mounts with different security configurations. The privilege escalation occurs silently without generating audit logs that would typically indicate such security violations, making detection difficult and potentially allowing persistent unauthorized access to systems.

Security mitigations for CVE-2021-3847 primarily involve applying kernel updates that address the specific flaw in the overlay filesystem implementation. System administrators should immediately patch affected kernel versions and verify that the patch correctly resolves the capability handling during file copy operations. Additionally, organizations should implement monitoring for unusual file copy operations between different mount points, particularly when dealing with files that have setuid bits or capability attributes. The vulnerability aligns with CWE-276, which describes improper privilege management, and maps to ATT&CK technique T1068, which covers privilege escalation through local exploitation. Organizations should also consider implementing additional security controls such as mandatory access controls, file integrity monitoring, and regular security assessments to detect and prevent similar vulnerabilities in other kernel subsystems. The flaw demonstrates the critical importance of proper capability validation in kernel filesystem operations and highlights the need for comprehensive security testing of all kernel subsystems that handle file operations with elevated privileges.

Reservation

10/01/2021

Disclosure

04/02/2022

Moderation

accepted

CPE

ready

EPSS

0.00453

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!