Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

Share on social media

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909
CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909
CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909
CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909
Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.




PCI DSS v4.0
first time PCI DSS Compliance
PCI 3DS 驗證 3 步驟_Max

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.


© 2020 Copyright - Secure Vectors Information Technologies Inc.