CVE-2021-32555
📋 TL;DR
CVE-2021-32555 is a path traversal vulnerability in Apport's read_file() function that follows symbolic links and opens FIFOs, potentially exposing sensitive data. This affects Ubuntu systems with the xorg-hwe-18.04 package where local users could access private files. The vulnerability requires local access to exploit.
💻 Affected Systems
- apport
- xorg-hwe-18.04
📦 What is this software?
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local attackers could read arbitrary files including sensitive system files, configuration files with credentials, or user data, leading to privilege escalation or data theft.
Likely Case
Local users with limited privileges could access files they shouldn't have permission to read, potentially exposing system information or other user data.
If Mitigated
With proper file permissions and access controls, the impact is limited to files the Apport process can already access.
🎯 Exploit Status
Exploitation requires local access and knowledge of symbolic link creation. The bug report includes demonstration of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apport 2.20.11-0ubuntu27.18 and later
Vendor Advisory: https://ubuntu.com/security/CVE-2021-32555
Restart Required: No
Instructions:
1. Update system: sudo apt update && sudo apt upgrade
2. Specifically update apport: sudo apt install --only-upgrade apport
3. Verify the fix with: apt-cache policy apport
🔧 Temporary Workarounds
Disable Apport crash reporting
linuxTemporarily disable Apport to prevent the vulnerable hooks from being triggered
sudo systemctl stop apport
sudo systemctl disable apport
Remove xorg-hwe-18.04 package
linuxRemove the vulnerable package if not needed
sudo apt remove xorg-hwe-18.04
🧯 If You Can't Patch
- Implement strict file permissions and access controls to limit what files Apport can access
- Monitor for suspicious symbolic link creation in system directories
🔍 How to Verify
Check if Vulnerable:
Check Apport version: dpkg -l | grep apport | grep ^iiCheck Version:
dpkg -l | grep apport | grep ^ii | awk '{print $3}'Verify Fix Applied:
Verify Apport version is 2.20.11-0ubuntu27.18 or later: apt-cache policy apport📡 Detection & Monitoring
Log Indicators:
- Unusual Apport crash reports accessing unexpected files
- Failed attempts to access sensitive files through Apport
Network Indicators:
- Not applicable - local vulnerability only
SIEM Query:
process.name:"apport" AND file.path:"/etc/shadow" OR file.path:"/etc/passwd" OR file.path:"/root/*"