According to the researchers, this LPE bug exists in the filesystem layer that is used in all major Linux operating systems and helps to manage user data.
The flaw, dubbed ‘Sequoia’ and tracked as CVE-2021-33909, was discovered by the researchers from cybersecurity firm Qualys in June.
They noted in a blog post that an unprivileged local attacker can exploit CVE-2021-33909 by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1 GB.
“Other Linux distributions are likely vulnerable and probably exploitable,” Bharat Jogi, senior manager, vulnerabilities and signatures at Qualys, stated.
The researchers said they were able to develop an exploit for the vulnerability and also used it to obtain full root privileges on default installations of Debian 11, Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, and Fedora 34 Workstation.
Separately, Qualys researchers have also disclosed details of a stack exhaustion denial-of-service (DoS) bug that could enable an unprivileged attacker to launch an attack against systemd (the system and service manager) and trigger a kernel panic.
systemd is a software suite available in most Linux operating systems and used to start all other system components after booting.
The vulnerability, tracked as CVE-2021-33910, was introduced in systemd v220 in April 2015 and impacts all systemd versions released since then. The bug requires a local attacker with the ability to mount a filesystem with a long path, according to researchers.
Qualys notified Red Hat Product Security about the two flaws in early June, and earlier this month Red Hat sent the patches to the linux-distros@openwall mailing list. Red Hat has also released a vulnerability detection script for customers to determine if their machine is currently vulnerable.
Users running affected versions of Red Hat products are also advised to apply the available patches as soon as possible. A patch was not available for Ubuntu-based systems at the time of writing. The details of these two bugs come about a month after security researchers discovered a seven-year-old vulnerability in several Linux distributions, which enabled unprivileged local users to bypass authorisation and gain root access.
The bug existed in Polkit System Service and was patched last month. In 2017, Positive Technologies’ researcher Alexander Popov had found an old flaw in a Linux kernel that was introduced to the code in 2009.
Another old Linux security flaw, referred to as ‘Dirty COW’ zero-day, was introduced in 2007 and patched in 2016. It was used in many attacks before being patched.