Unprivileged attackers can gain root privileges by exploiting a local privilege escalation (LPE) vulnerability in default configurations of the Linux Kernel's filesystem layer on vulnerable devices.
As discovered by Qualys researchers, the LPE security flaw tracked as CVE-2021-33909 (
dubbed Sequoia) is present in the filesystem layer used to manage user data, a feature universally used by all major (Linux) operating systems.
According to Qualys' research, the vulnerability impacts all Linux kernel versions released since 2014.
Once successfully exploited on a vulnerable system, the attackers get full root privileges on default installations of many modern distributions.
"We successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation," the researchers
said. They also added that "other Linux distributions are certainly vulnerable, and probably exploitable."
Since the attack surface exposed by the Sequoia vulnerability reaches over a wide range of distros and releases,
Linux users are urged to immediately apply patches released earlier today.
