The vulnerability, discovered by Qualys researchers, tracked as CVE-2021-33909, resides in the filesystem layer used to manage user data, a feature universally used by all Linux operating systems. According to Qualys’ research, the vulnerability affects all Linux kernel versions released since 2014.
By exploiting this vulnerability, attackers can gain root privileges on many current distributions. “Using these vulnerabilities, we obtained root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 Workstation,” the researchers said in a statement.
Qualys also announced on 21.07.2021 that it discovered a “stack exhaustion denial-of-service vulnerability” in systemd, tracked as CVE-2021-33910, which can be exploited by unprivileged attackers to trigger a kernel panic. This vulnerability was present in all released versions of the systemd since it was announced in April 2015. Earlier this year, Qualys researchers also found a “sudo” vulnerability that could allow local users to gain “root” privileges on Unix-like operating systems without requiring authentication.
Solution Offers and CVE / CWE
Given the breadth of the attack surface for this vulnerability, Qualys recommends that users immediately apply patches for this vulnerability.
If you are not a customer, you can start your free Qualys VMDR trial to get full access to QIDs for CVE-2021-33909 to update your vulnerable assets.