CVE-2011-4126
📋 TL;DR
CVE-2011-4126 is a race condition vulnerability in Calibre's Linux mount helper that allows unprivileged local users to mount arbitrary devices to any location on the filesystem. This affects Linux systems running vulnerable versions of Calibre with the mount helper enabled. The vulnerability bypasses normal privilege checks through a time-of-check to time-of-use (TOCTOU) flaw.
💻 Affected Systems
- Calibre
📦 What is this software?
Calibre by Calibre Ebook
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary device mounting leading to privilege escalation, data theft, or system disruption by mounting malicious filesystems or overwriting critical system files.
Likely Case
Local privilege escalation allowing unprivileged users to gain root access, potentially leading to data exfiltration, persistence establishment, or lateral movement within the environment.
If Mitigated
Limited impact if mount helper is disabled or proper access controls prevent local user access to vulnerable systems.
🎯 Exploit Status
Exploit code is publicly available and requires local user access. The race condition exploitation requires precise timing but has been demonstrated to be reliable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.60 and later
Vendor Advisory: https://bugs.launchpad.net/calibre/+bug/885027
Restart Required: No
Instructions:
1. Update Calibre to version 0.8.60 or later using your package manager. 2. For Debian/Ubuntu: sudo apt-get update && sudo apt-get install calibre. 3. For other distributions, use the appropriate package manager or download from calibre-ebook.com.
🔧 Temporary Workarounds
Disable setuid on mount helper
linuxRemove setuid permissions from the calibre-mount-helper binary
sudo chmod u-s /usr/lib/calibre/calibre-mount-helper
Remove mount helper entirely
linuxUninstall or remove the vulnerable mount helper component
sudo rm /usr/lib/calibre/calibre-mount-helper
🧯 If You Can't Patch
- Restrict local user access to systems running vulnerable Calibre versions
- Implement strict privilege separation and monitor for suspicious mount operations
🔍 How to Verify
Check if Vulnerable:
Check if calibre-mount-helper exists and has setuid bit set: ls -la /usr/lib/calibre/calibre-mount-helper 2>/dev/null | grep '^...s'Check Version:
calibre --version | head -1Verify Fix Applied:
Verify Calibre version is 0.8.60 or higher: calibre --version | head -1📡 Detection & Monitoring
Log Indicators:
- Unusual mount operations by non-root users
- Failed privilege escalation attempts
- Execution of calibre-mount-helper with unusual parameters
Network Indicators:
- Not applicable - local privilege escalation
SIEM Query:
process_name:"calibre-mount-helper" AND user_id!="0"🔗 References
- https://bugs.launchpad.net/calibre/+bug/885027
- https://git.zx2c4.com/calibre-mount-helper-exploit/about/
- https://lwn.net/Articles/464824/
- https://www.openwall.com/lists/oss-security/2011/11/02/2
- https://bugs.launchpad.net/calibre/+bug/885027
- https://git.zx2c4.com/calibre-mount-helper-exploit/about/
- https://lwn.net/Articles/464824/
- https://www.openwall.com/lists/oss-security/2011/11/02/2
