CVE-2021-33505 – CVE-2021-33505 is a privilege escalation vulner... (How to Fix)

📋 TL;DR

CVE-2021-33505 is a privilege escalation vulnerability in Falco where a local malicious user can bypass the detection engine by manipulating system call arguments. This affects Falco versions up to 0.28.1, allowing attackers to evade security monitoring. Only systems running vulnerable Falco versions are impacted.

💻 Affected Systems

Products:

Falco

Versions: All versions <= 0.28.1

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Falco installations on Linux systems where local users can execute programs.

📦 What is this software?

Falco by Falco

View all CVEs affecting Falco →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers completely bypass Falco's security monitoring, execute malicious activities undetected, and potentially escalate privileges or maintain persistence without triggering alerts.

🟠

Likely Case

Local attackers evade specific Falco rules by modifying system call arguments, allowing them to perform unauthorized actions while avoiding detection.

🟢

If Mitigated

With proper network segmentation and additional security controls, the impact is limited to the local system where Falco runs, preventing lateral movement.

🌐 Internet-Facing: LOW - This requires local access to the system running Falco, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Local attackers with access to systems running vulnerable Falco can bypass critical security monitoring.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to run programs that manipulate system call arguments. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.29.1 and later

Vendor Advisory: https://github.com/falcosecurity/falco/releases

Restart Required: Yes

Instructions:

1. Check current Falco version: falco --version
2. Update Falco to version 0.29.1 or later using your package manager
3. Restart Falco service: systemctl restart falco
4. Verify the update: falco --version

🔧 Temporary Workarounds

Restrict local user access

linux

Limit local user privileges on systems running Falco to reduce attack surface

# Implement least privilege principles for local users
# Use sudo restrictions and access controls

🧯 If You Can't Patch

Implement additional security monitoring layers (auditd, osquery) to detect bypass attempts
Isolate Falco systems from regular user access and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Run: falco --version | grep -E '0\.(2[0-8]|1[0-9]|[0-9])\.[0-9]+' - if output shows version <= 0.28.1, system is vulnerable

Check Version:

falco --version

Verify Fix Applied:

Run: falco --version | grep -E '0\.(29|3[0-9]|[4-9][0-9])\.[0-9]+' - if output shows version >= 0.29.1, fix is applied

📡 Detection & Monitoring

Log Indicators:

Unexpected gaps in Falco alert logs
Processes running with unusual system call patterns
Failed Falco rule matches for expected malicious activities

Network Indicators:

None - this is a local exploitation vulnerability

SIEM Query:

source="falco" | stats count by rule | where count=0 for rules that should normally trigger

📊 Metadata

CVE ID: CVE-2021-33505

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: July 15, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/falcosecurity/falco/pull/1675 Patch,Third Party Advisory
https://github.com/falcosecurity/falco/releases Release Notes,Third Party Advisory
https://github.com/falcosecurity/falco/pull/1675 Patch,Third Party Advisory
https://github.com/falcosecurity/falco/releases Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33505, you might also want to check these: