CVE-2021-25314
📋 TL;DR
CVE-2021-25314 is a local privilege escalation vulnerability in hawk2 component of SUSE Linux Enterprise High Availability. It allows local attackers to create temporary files with insecure permissions, potentially enabling them to escalate privileges to root. This affects specific versions of SUSE Linux Enterprise High Availability 12-SP3, 12-SP5, and 15-SP2.
💻 Affected Systems
- SUSE Linux Enterprise High Availability
📦 What is this software?
Hawk2 by Suse
Hawk2 by Suse
Hawk2 by Suse
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the affected system, enabling complete system compromise, data theft, and persistence establishment.
Likely Case
Local user with limited privileges escalates to root, gaining control over the HA cluster management and potentially affecting cluster stability.
If Mitigated
With proper access controls and patching, impact is limited to denial of service if exploitation attempts are detected and blocked.
🎯 Exploit Status
Requires local access to the system. The vulnerability involves insecure temporary file creation that can be exploited through race conditions or symlink attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: hawk2 2.6.3+git.1614685906.812c31e9 for 12-SP3/SP5, hawk2 2.6.3+git.1614684118.af555ad9 for 15-SP2
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1182166
Restart Required: Yes
Instructions:
1. Apply SUSE security updates via 'zypper patch' or 'zypper update hawk2'. 2. Restart hawk2 service: 'systemctl restart hawk2'. 3. Verify the patch is applied using version check command.
🔧 Temporary Workarounds
Restrict local user access
linuxLimit shell access to trusted users only on HA cluster nodes.
# Review /etc/passwd and /etc/shadow for unnecessary users
# Remove or disable unused accounts: userdel <username>
# Restrict sudo privileges in /etc/sudoers
Monitor temporary file creation
linuxSet up audit rules to monitor suspicious temporary file operations in hawk2 directories.
# Add audit rule: auditctl -w /var/run/hawk2 -p wa -k hawk2_temp_files
# Or use inotify: inotifywait -m -r /var/run/hawk2 --format '%w%f %e'
🧯 If You Can't Patch
- Remove hawk2 component if not required for HA operations
- Implement strict access controls and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check hawk2 version: rpm -q hawk2 | grep -E '2.6.3\+git\.(1614685906\.812c31e9|1614684118\.af555ad9)' - if version is lower, system is vulnerable.Check Version:
rpm -q hawk2 --queryformat '%{VERSION}-%{RELEASE}\n'Verify Fix Applied:
Verify hawk2 version matches patched versions and check that temporary files in /var/run/hawk2 have proper permissions (not world-writable).📡 Detection & Monitoring
Log Indicators:
- Unusual temporary file creation in /var/run/hawk2 directory
- Unexpected privilege escalation attempts in audit logs
- hawk2 process spawning with elevated privileges
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="audit.log" AND (path="/var/run/hawk2/*" AND action="write") OR (process="hawk2" AND uid_change="0")