CVE-2021-26720
📋 TL;DR
This vulnerability in Debian's avahi package allows local attackers to perform symlink attacks on files under /run/avahi-daemon. Attackers can cause denial of service or create arbitrary empty files by exploiting improper file handling in avahi-daemon-check-dns.sh. Only Debian GNU/Linux systems (and SUSE systems using Debian packages) are affected, not upstream Avahi installations.
💻 Affected Systems
- Debian avahi package
- SUSE Linux using Debian avahi packages
📦 What is this software?
Avahi by Avahi
⚠️ Risk & Real-World Impact
Worst Case
Local root privilege escalation leading to system compromise, though the vulnerability description suggests file creation/DoS is the primary impact
Likely Case
Local denial of service affecting avahi-daemon functionality or creation of empty files in system directories
If Mitigated
Minimal impact if proper file permissions and symlink protections are in place
🎯 Exploit Status
Exploitation requires local access to the system. The symlink attack technique is well-known and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 0.8-4
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2022/06/msg00009.html
Restart Required: Yes
Instructions:
1. Update avahi package: sudo apt update && sudo apt upgrade avahi-daemon
2. Restart avahi-daemon: sudo systemctl restart avahi-daemon
3. Verify the fix by checking version: dpkg -l | grep avahi
🔧 Temporary Workarounds
Remove vulnerable script
linuxRemove or disable the vulnerable avahi-daemon-check-dns.sh script
sudo rm /etc/network/if-up.d/avahi-daemon
sudo chmod 000 /etc/network/if-up.d/avahi-daemon
Restrict script permissions
linuxChange permissions to prevent execution
sudo chmod 644 /etc/network/if-up.d/avahi-daemon
🧯 If You Can't Patch
- Implement strict file permission controls on /run/avahi-daemon directory
- Monitor for symlink creation attempts in system directories
🔍 How to Verify
Check if Vulnerable:
Check avahi package version: dpkg -l | grep '^ii.*avahi' | awk '{print $3}'Check Version:
dpkg -l | grep '^ii.*avahi' | awk '{print $3}'Verify Fix Applied:
Verify version is newer than 0.8-4 and check if /etc/network/if-up.d/avahi-daemon exists with proper permissions📡 Detection & Monitoring
Log Indicators:
- Failed avahi-daemon startups
- Permission denied errors in /run/avahi-daemon
- Unexpected symlink creation in system directories
Network Indicators:
- Avahi service disruptions
- mDNS/DNS-SD service failures
SIEM Query:
process.name:"avahi-daemon-check-dns.sh" AND file.path:"/run/avahi-daemon/*"🔗 References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982796
- https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/1870824
- https://bugzilla.suse.com/show_bug.cgi?id=1180827
- https://lists.debian.org/debian-lts-announce/2022/06/msg00009.html
- https://metadata.ftp-master.debian.org/changelogs/main/a/avahi/avahi_0.8-4_changelog
- https://packages.debian.org/bullseye/avahi-daemon
- https://packages.debian.org/buster/avahi-daemon
- https://packages.debian.org/sid/avahi-daemon
- https://security-tracker.debian.org/tracker/CVE-2021-26720
- https://www.openwall.com/lists/oss-security/2021/02/15/2
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982796
- https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/1870824
- https://bugzilla.suse.com/show_bug.cgi?id=1180827
- https://lists.debian.org/debian-lts-announce/2022/06/msg00009.html
- https://metadata.ftp-master.debian.org/changelogs/main/a/avahi/avahi_0.8-4_changelog
- https://packages.debian.org/bullseye/avahi-daemon
- https://packages.debian.org/buster/avahi-daemon
- https://packages.debian.org/sid/avahi-daemon
- https://security-tracker.debian.org/tracker/CVE-2021-26720
- https://www.openwall.com/lists/oss-security/2021/02/15/2
