CVE-2021-25321
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in arpwatch on SUSE Linux systems. Attackers with control of the runtime user can create symbolic links that allow them to escalate to root privileges when arpwatch restarts. This affects SUSE Linux Enterprise Server, SUSE Manager Server, SUSE OpenStack Cloud Crowbar, and openSUSE distributions.
💻 Affected Systems
- arpwatch
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the affected system, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Privileged local user or compromised service account escalates to root, gaining administrative control over the system.
If Mitigated
With proper access controls and monitoring, impact is limited to detection of suspicious symlink creation and privilege escalation attempts.
🎯 Exploit Status
Exploitation requires local access and ability to control the runtime user, plus waiting for arpwatch restart.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: arpwatch 2.1a15 or later
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1186240
Restart Required: Yes
Instructions:
1. Update arpwatch package using your distribution's package manager. 2. For SUSE: 'zypper update arpwatch'. 3. Restart arpwatch service or reboot system.
🔧 Temporary Workarounds
Disable arpwatch service
linuxTemporarily disable arpwatch if not required for network monitoring
systemctl stop arpwatch
systemctl disable arpwatch
Restrict arpwatch user permissions
linuxLimit the runtime user's ability to create symlinks in critical directories
chmod 750 /var/lib/arpwatch
setfacl -m u:arpwatch:rx /var/lib/arpwatch
🧯 If You Can't Patch
- Monitor for suspicious symlink creation in arpwatch directories
- Implement strict access controls on arpwatch runtime user and associated directories
🔍 How to Verify
Check if Vulnerable:
Check arpwatch version: 'rpm -q arpwatch' or 'arpwatch -v' and compare to patched version 2.1a15Check Version:
rpm -q arpwatch --queryformat '%{VERSION}-%{RELEASE}\n'Verify Fix Applied:
Verify arpwatch version is 2.1a15 or later and check for updated package from vendor repository📡 Detection & Monitoring
Log Indicators:
- Unusual symlink creation in /var/lib/arpwatch or arpwatch directories
- arpwatch service restarts followed by privilege changes
- Failed privilege escalation attempts in system logs
Network Indicators:
- Unusual network activity from arpwatch process or associated users
SIEM Query:
source="systemd" (arpwatch AND (restart OR stop)) OR source="audit" type=SYMLINK AND dir="/var/lib/arpwatch"