Login Sign Up

CVE-2021-27135

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

CVE-2021-27135 is a critical vulnerability in xterm terminal emulator that allows remote attackers to execute arbitrary code or cause denial of service via specially crafted UTF-8 combining character sequences. This affects systems running vulnerable versions of xterm before Patch #366. Attackers can exploit this by sending malicious sequences to the terminal.

💻 Affected Systems

Products:
  • xterm terminal emulator
Versions: All versions before Patch #366
Operating Systems: Linux, Unix-like systems, Any OS running xterm
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any system where xterm is installed and used, including remote terminal sessions via SSH or other protocols.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Xterm by Invisible Island

View all CVEs affecting Xterm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Denial of service through segmentation faults causing terminal crashes and disrupting user sessions.

🟢

If Mitigated

Limited impact with proper network segmentation and terminal access controls preventing malicious input delivery.

🌐 Internet-Facing: MEDIUM - Requires user interaction or specific terminal exposure to internet, but exploitation is straightforward once access is gained.
🏢 Internal Only: HIGH - Internal users or compromised systems can exploit this against other systems running vulnerable xterm versions.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to send input to the vulnerable xterm instance, typically through user interaction or automated terminal input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patch #366 or later

Vendor Advisory: https://invisible-island.net/xterm/xterm.log.html

Restart Required: Yes

Instructions:

1. Update xterm to version with Patch #366 or later. 2. For RedHat/CentOS: yum update xterm. 3. For Debian/Ubuntu: apt update && apt install xterm. 4. Restart any active xterm sessions.

🔧 Temporary Workarounds

Disable UTF-8 combining characters

linux

Configure xterm to disable UTF-8 combining character processing

Add 'XTerm*allowCombineChars: false' to ~/.Xresources or XTerm configuration

Use alternative terminal

linux

Temporarily switch to non-vulnerable terminal emulators

Use gnome-terminal, konsole, or other terminals not based on vulnerable xterm code

🧯 If You Can't Patch

  • Restrict terminal access to trusted users only
  • Implement network segmentation to limit exposure of terminal services

🔍 How to Verify

Check if Vulnerable:

Check xterm version: xterm -version | grep 'Patch #' and verify it's before #366

Check Version:

xterm -version

Verify Fix Applied:

Confirm xterm version shows Patch #366 or higher: xterm -version

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in system logs
  • Unexpected xterm process crashes
  • Abnormal terminal session terminations

Network Indicators:

  • Unusual UTF-8 character sequences in terminal traffic
  • Multiple failed terminal connections

SIEM Query:

process.name:"xterm" AND event.action:"segmentation fault" OR process.exit_code:139

📊 Metadata

CVE ID: CVE-2021-27135
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON