Login Sign Up

CVE-2021-25682

8.8 HIGH

📋 TL;DR

CVE-2021-25682 is a vulnerability in Apport's get_pid_info() function that improperly parses /proc/pid/status files, potentially allowing local privilege escalation. This affects Ubuntu systems with Apport installed. Attackers could exploit this to gain root privileges from a local user account.

💻 Affected Systems

Products:
  • Apport
Versions: Apport versions prior to 2.20.11-0ubuntu27.20
Operating Systems: Ubuntu
Default Config Vulnerable: ⚠️ Yes
Notes: Apport is installed by default on Ubuntu systems for crash reporting. The vulnerability requires local access to exploit.

📦 What is this software?

Apport by Canonical

View all CVEs affecting Apport →

Apport by Canonical

View all CVEs affecting Apport →

Apport by Canonical

View all CVEs affecting Apport →

Apport by Canonical

View all CVEs affecting Apport →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges, compromising the entire system and potentially pivoting to other systems.

🟠

Likely Case

Local privilege escalation allowing attackers to execute arbitrary code with root permissions.

🟢

If Mitigated

Limited impact if proper access controls restrict local user accounts and Apport is disabled or patched.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access.
🏢 Internal Only: HIGH - Any compromised local account could exploit this to gain root access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but is relatively straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apport 2.20.11-0ubuntu27.20 and later

Vendor Advisory: https://ubuntu.com/security/notices/USN-4737-1

Restart Required: No

Instructions:

1. Update system: sudo apt update && sudo apt upgrade 2. Specifically update apport: sudo apt install --only-upgrade apport 3. Verify version: dpkg -l apport

🔧 Temporary Workarounds

Disable Apport

linux

Temporarily disable Apport crash reporting service

sudo systemctl stop apport
sudo systemctl disable apport

Remove Apport

linux

Completely remove Apport package if not needed

sudo apt remove apport

🧯 If You Can't Patch

  • Restrict local user access and implement strict access controls
  • Monitor for suspicious privilege escalation attempts and Apport process activity

🔍 How to Verify

Check if Vulnerable:

Check Apport version: dpkg -l apport | grep ^ii

Check Version:

dpkg -l apport | grep ^ii | awk '{print $3}'

Verify Fix Applied:

Verify installed version is 2.20.11-0ubuntu27.20 or later: dpkg -l apport

📡 Detection & Monitoring

Log Indicators:

  • Unusual Apport process activity
  • Failed privilege escalation attempts in auth logs
  • Suspicious /proc file access

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

process_name:"apport" AND (event_type:"privilege_escalation" OR parent_process:"apport")

📊 Metadata

CVE ID: CVE-2021-25682
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-20
Published: June 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25682, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)