CVE-2021-3995

snap-confine must_mkdir_and_open_with_perms() Race Condition

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.

Se ha encontrado un error lógico en la biblioteca libmount de util-linux en la función que permite a un usuario no privilegiado desmontar un sistema de archivos FUSE. Este fallo permite a un atacante local no privilegiado desmontar sistemas de archivos FUSE que pertenecen a otros usuarios determinados que presentan un UID que es un prefijo del UID del atacante en su forma de cadena. Un atacante puede usar este fallo para causar una denegación de servicio a las aplicaciones que usan los sistemas de archivos afectados.

The Qualys Research Labs discovered two vulnerabilities in util-linux's libmount. These flaws allow an unprivileged user to unmount other users' filesystems that are either world-writable themselves or mounted in a world-writable directory (CVE-2021-3996), or to unmount FUSE filesystems that belong to certain other users (CVE-2021-3995).

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-22 CVE Reserved
2022-01-28 CVE Published
2022-12-09 First Exploit
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-552: Files or Directories Accessible to External Parties

CAPEC

References (10)

URL	Tag	Source
http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html	Third Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/4	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/30/2	Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=2024631https://access.redhat.com/security/cve/CVE-2021-3995	Broken Link
https://security.netapp.com/advisory/ntap-20221209-0002	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/170176	2022-12-09
https://www.openwall.com/lists/oss-security/2022/01/24/2	2024-08-03

URL	Date	SRC
https://github.com/util-linux/util-linux/commit/57202f5713afa2af20ffbb6ab5331481d0396f8d	2024-01-07

URL	Date	SRC
https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.3-ReleaseNotes	2024-01-07
https://security.gentoo.org/glsa/202401-08	2024-01-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Kernel Search vendor "Kernel"		Util-linux Search vendor "Kernel" for product "Util-linux"				>= 2.34 < 2.37.3 Search vendor "Kernel" for product "Util-linux" and version " >= 2.34 < 2.37.3"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected