CVE-2021-33477 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2021-33477?

CVE-2021-33477 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote code execution in multiple terminal emulators (rxvt-unicode, rxvt, mrxvt, Eterm) through improper handling of ESC G Q escape sequences. Attackers can execute arbitrary code when users view malicious content in these terminals. Anyone using affected versions of these terminal emulators is potentially vulnerable.

📋 TL;DR

This vulnerability allows remote code execution in multiple terminal emulators (rxvt-unicode, rxvt, mrxvt, Eterm) through improper handling of ESC G Q escape sequences. Attackers can execute arbitrary code when users view malicious content in these terminals. Anyone using affected versions of these terminal emulators is potentially vulnerable.

💻 Affected Systems

Products:

rxvt-unicode
rxvt
mrxvt
Eterm

Versions: rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, Eterm 0.9.7 and earlier affected versions

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations when processing escape sequences. All users of these terminal emulators are affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of the victim's system by executing arbitrary code with user privileges, potentially leading to complete system compromise.

🟠

Likely Case

Attackers execute malicious code when users view specially crafted content (like malicious log files or network output) in vulnerable terminals.

🟢

If Mitigated

No impact if patched versions are used or if vulnerable terminals are not exposed to untrusted input.

🌐 Internet-Facing: MEDIUM - Risk exists if terminals process untrusted network output, but requires user interaction or specific configurations.

🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious files or network services, but requires user to use vulnerable terminal with affected content.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user to view malicious content in vulnerable terminal. Public references demonstrate the vulnerability and exploitation method.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor updates - rxvt-unicode 9.23+, rxvt 2.7.11+, mrxvt 0.5.5+, Eterm 0.9.8+

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2021/05/msg00026.html

Restart Required: No

Instructions:

1. Update terminal emulator using package manager (apt-get update && apt-get upgrade rxvt-unicode). 2. Verify installation of patched version. 3. Restart terminal sessions.

🔧 Temporary Workarounds

Disable vulnerable terminals

linux

Replace vulnerable terminal emulators with patched alternatives or different terminals

sudo apt-get remove rxvt-unicode rxvt mrxvt eterm
sudo apt-get install gnome-terminal xterm

Restrict terminal usage

all

Limit use of vulnerable terminals to trusted environments only

🧯 If You Can't Patch

Avoid viewing untrusted content in vulnerable terminals
Use alternative terminal emulators that are not affected

🔍 How to Verify

Check if Vulnerable:

Check terminal version: rxvt -version, urxvt -version, or check package manager: dpkg -l | grep -E '(rxvt|eterm)'

Check Version:

rxvt -version 2>&1 | head -1; urxvt -version 2>&1 | head -1

Verify Fix Applied:

Verify updated version is installed: dpkg -l | grep -E '(rxvt|eterm)' and check version numbers against patched versions

📡 Detection & Monitoring

Log Indicators:

Unusual terminal crashes
Suspicious escape sequence patterns in logs

Network Indicators:

Malformed escape sequences in network traffic to terminal services

SIEM Query:

source="terminal.log" AND "ESC G Q" OR "escape sequence" AND (process="rxvt" OR process="urxvt" OR process="eterm")

📊 Metadata

CVE ID: CVE-2021-33477

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-755

Published: May 20, 2021

Last Updated: November 21, 2024

🔗 References

http://cvs.schmorp.de/rxvt-unicode/Changes?view=log Third Party Advisory
http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583 Patch,Third Party Advisory
https://git.enlightenment.org/apps/eterm.git/log/ Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00026.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00011.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00012.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RFMU5YXXNYYVA7G2DAHRXXHO6JKVFUT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AO52OLNOOKOCZSJCN3R7Q25XA32BWNWP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUV4LDVZVW7KCGPAMFZD4ZJ4FVLPOX4C/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZWGE2RJONBEHSPCBUAW72NTRTIFKZAX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLPVEPBH37EBR4R54RMC6GD33J37HJXD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXAKO6N6NKTR6Z6KVAPEXSZQMRU52SGA/
https://packetstormsecurity.com/files/162621/rxvt-2.7.0-rxvt-unicode-9.22-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://security.gentoo.org/glsa/202105-17 Third Party Advisory
https://security.gentoo.org/glsa/202209-07 Third Party Advisory
https://sourceforge.net/projects/materm/files/mrxvt%20source/ Product,Third Party Advisory
https://sourceforge.net/projects/rxvt/files/rxvt-dev/ Product,Third Party Advisory
https://www.openwall.com/lists/oss-security/2017/05/01/20 Mailing List,Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/17/1 Exploit,Mailing List,Third Party Advisory
http://cvs.schmorp.de/rxvt-unicode/Changes?view=log Third Party Advisory
http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583 Patch,Third Party Advisory
https://git.enlightenment.org/apps/eterm.git/log/ Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00026.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00011.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00012.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RFMU5YXXNYYVA7G2DAHRXXHO6JKVFUT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AO52OLNOOKOCZSJCN3R7Q25XA32BWNWP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUV4LDVZVW7KCGPAMFZD4ZJ4FVLPOX4C/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZWGE2RJONBEHSPCBUAW72NTRTIFKZAX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLPVEPBH37EBR4R54RMC6GD33J37HJXD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXAKO6N6NKTR6Z6KVAPEXSZQMRU52SGA/
https://packetstormsecurity.com/files/162621/rxvt-2.7.0-rxvt-unicode-9.22-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://security.gentoo.org/glsa/202105-17 Third Party Advisory
https://security.gentoo.org/glsa/202209-07 Third Party Advisory
https://sourceforge.net/projects/materm/files/mrxvt%20source/ Product,Third Party Advisory
https://sourceforge.net/projects/rxvt/files/rxvt-dev/ Product,Third Party Advisory
https://www.openwall.com/lists/oss-security/2017/05/01/20 Mailing List,Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/17/1 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33477, you might also want to check these: