CVE-2011-2921 – CVE-2011-2921 is a privilege escalation vulnera... (How to Fix)

Q: What is the severity of CVE-2011-2921?

CVE-2011-2921 has a CVSS score of 9.8 (CRITICAL). CVE-2011-2921 is a privilege escalation vulnerability in ktsuss versions 1.4 and earlier. The software runs with root privileges but fails to drop them before executing user-specified commands, allowing local users to execute arbitrary commands with root privileges. This affects any system running vulnerable ktsuss versions with the SUID bit set.

📋 TL;DR

CVE-2011-2921 is a privilege escalation vulnerability in ktsuss versions 1.4 and earlier. The software runs with root privileges but fails to drop them before executing user-specified commands, allowing local users to execute arbitrary commands with root privileges. This affects any system running vulnerable ktsuss versions with the SUID bit set.

💻 Affected Systems

Products:

ktsuss

Versions: 1.4 and earlier

Operating Systems: Linux distributions including Debian, Red Hat, and others that packaged ktsuss

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when ktsuss is installed with SUID bit set (common default configuration).

📦 What is this software?

Ktsuss by Ktsuss Project

View all CVEs affecting Ktsuss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root access to the system, enabling complete compromise including data theft, persistence installation, and lateral movement.

🟠

Likely Case

Local user escalates privileges to root, gaining administrative control over the affected system.

🟢

If Mitigated

Attack fails due to proper privilege separation or lack of SUID permissions on ktsuss binary.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Any local user (including low-privileged accounts) can potentially gain root access on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is straightforward - attacker simply runs ktsuss with crafted command arguments. Requires local shell access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ktsuss 1.5 and later

Vendor Advisory: https://security-tracker.debian.org/tracker/CVE-2011-2921

Restart Required: No

Instructions:

1. Update ktsuss to version 1.5 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt-get update && sudo apt-get install ktsuss. 3. For Red Hat/CentOS: sudo yum update ktsuss. 4. Verify the SUID bit is removed or the binary properly drops privileges.

🔧 Temporary Workarounds

Remove SUID bit from ktsuss

linux

Remove the setuid permission from the ktsuss binary to prevent privilege escalation

sudo chmod u-s /usr/bin/ktsuss

Uninstall ktsuss

linux

Remove the vulnerable software entirely if not needed

sudo apt-get remove ktsuss
sudo yum remove ktsuss

🧯 If You Can't Patch

Remove SUID permissions from ktsuss binary using: chmod u-s /usr/bin/ktsuss
Restrict access to ktsuss binary to only trusted users using filesystem permissions

🔍 How to Verify

Check if Vulnerable:

Check if ktsuss has SUID bit set and is version 1.4 or earlier: ls -la /usr/bin/ktsuss | grep '^...s' && ktsuss --version

Check Version:

ktsuss --version 2>/dev/null || dpkg -l ktsuss 2>/dev/null || rpm -q ktsuss 2>/dev/null

Verify Fix Applied:

Verify ktsuss version is 1.5+ and SUID bit is removed or properly handled: ktsuss --version && ls -la /usr/bin/ktsuss

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation via ktsuss in system logs
Multiple failed or successful ktsuss executions from non-admin users

Network Indicators:

N/A - local exploitation only

SIEM Query:

process.name:"ktsuss" AND user.name!="root" AND process.parent.name!="sudo"

📊 Metadata

CVE ID: CVE-2011-2921

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-273

Published: November 19, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/154307/ktsuss-Suid-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
https://access.redhat.com/security/cve/cve-2011-2921 Broken Link,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2011-2921 Third Party Advisory
http://packetstormsecurity.com/files/154307/ktsuss-Suid-Privilege-Escalation.html Exploit,Third Party Advisory,VDB Entry
https://access.redhat.com/security/cve/cve-2011-2921 Broken Link,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2011-2921 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-2921, you might also want to check these: