In what appears to be a pretty busy Tuesday for security researchers, both Windows and Linux were found to have vulnerabilities that could send users packing from their own systems. Windows has a new privilege access flaw that came to light by accident, and Linux has a file system vulnerability that allows an attacker to gain root access.
In the vulnerability being tracked as CVE-2021-36934, an attacker with the ability to execute code on the victim computer can read the Security Accounts Manager database, allowing them to run arbitrary code with system privileges, the highest possible in Windows. The attacker can also install programs, access, modify or delete data and create new users with system privileges.
There have been two separate discoveries on the Linux side of things: a System Privilege Escalation flaw being tracked as CVE-2021-33909 in the Linux filesystem layer and another vulnerability that can cause a kernel panic CVE-2021-33910.
Breaking Windows by accident?
A researcher who goes Jonas L on Twitter found what seemed like a coding regression in the beta build of Windows 11 on Monday. Jonas eventually found that users with limited privileges could read the contents of the Security Account Manager.
He put out a tweet highlighting the flaw, and soon after, people pointed out that this issue wasn’t exclusive to Windows 11. As a result, the US Computer Emergency Readiness Team put out an advisory stating that the issue resides in the Volume Shadow Copy Service, a Windows feature that allows programs to take disk snapshots in real-time without locking the disks themselves.
The vulnerability allows a local user to extract cryptographically protected password data, obtain keys for the Windows data protection API (which can be used to decrypt private encryption keys) and eventually make an account with SYSTEM privileges, the highest possible in Windows. Another researcher Benjamin Delphy showed how the flaw could be exploited to obtain password hashes of sensitive data.
There’s no patch to fix this at the moment; however, certain workarounds have been mentioned in the advisory. Microsoft has mentioned that there can be certain exploits out there.
The good old Linux kernel might not be that good
Two new vulnerabilities have been discovered in the Linux kernel. One being a Local Privilege Escalation flaw in the Linux filesystem layer and the other being a Denial of Service flaw in systemd. Both vulnerabilities have been termed CVE-2021-33909 and CVE-2021-33910, respectively.
The privilege escalation flaw was found first by researchers over at Qualys and allows an attacker to gain root access to a system by essentially making and deleting a bunch of folders. The exploit has been codenamed Sequoia.
According to Qualys’ writeup of the flaw, “the successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable.”
Essentially, all an attacker has to do is create, mount and delete a directory structure with a total path length that exceeds 1GB and then opening and reading the /proc/self/mountinfo file.
The second vulnerability — CVE-20210-33910, is a stack exhaustion flaw in systems, a very popular suite of software installed in just about any Linux distribution.
According to the Qualys report, the vulnerability was introduced in systemd v220 back in April 2015 by commit 7410616c. The commit replaced a strdup() in a heap with a strdupa() on the stack. Exploiting this vulnerability can let any unprivileged user cause a denial of service via kernel panic.