CVE-2021-3996

snap-confine must_mkdir_and_open_with_perms() Race Condition

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.

Se ha encontrado un error lógico en la biblioteca libmount de util-linux en la función que permite a un usuario no privilegiado desmontar un sistema de archivos FUSE. Este fallo permite a un usuario local en un sistema vulnerable desmontar los sistemas de archivos de otros usuarios que son de escritura mundial (como /tmp) o que están montados en un directorio de escritura mundial. Un atacante puede usar este fallo para causar una denegación de servicio a las aplicaciones que usan los sistemas de archivos afectados.

The Qualys Research Labs discovered two vulnerabilities in util-linux's libmount. These flaws allow an unprivileged user to unmount other users' filesystems that are either world-writable themselves or mounted in a world-writable directory (CVE-2021-3996), or to unmount FUSE filesystems that belong to certain other users (CVE-2021-3995).

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-11-22 CVE Reserved
2022-01-28 CVE Published
2022-12-09 First Exploit
2024-10-15 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-552: Files or Directories Accessible to External Parties

CAPEC

References (11)

URL	Tag	Source
http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html	Third Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/4	Mailing List
http://www.openwall.com/lists/oss-security/2022/11/30/2	Mailing List
https://access.redhat.com/security/cve/CVE-2021-3996	Issue Tracking
https://security.netapp.com/advisory/ntap-20221209-0002	Broken Link

URL	Date	SRC
https://packetstorm.news/files/id/170176	2022-12-09
https://www.openwall.com/lists/oss-security/2022/01/24/2	2024-10-15

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2024628	2024-01-07
https://github.com/util-linux/util-linux/commit/166e87368ae88bf31112a30e078cceae637f4cdb	2024-01-07

URL	Date	SRC
https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.3-ReleaseNotes	2024-01-07
https://security.gentoo.org/glsa/202401-08	2024-01-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Kernel Search vendor "Kernel"		Util-linux Search vendor "Kernel" for product "Util-linux"				>= 2.34 < 2.37.3 Search vendor "Kernel" for product "Util-linux" and version " >= 2.34 < 2.37.3"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected