CVE-2021-3445
📋 TL;DR
This vulnerability in libdnf allows attackers to execute arbitrary code by modifying RPM package headers and tricking users into installing them. It affects systems using libdnf before version 0.60.1 for package management, primarily impacting Linux distributions like Fedora, RHEL, and CentOS.
💻 Affected Systems
- libdnf
- DNF package manager
- YUM (when using libdnf backend)
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, allowing data theft, persistence installation, and complete system control.
Likely Case
Package repository compromise leading to malicious package installation and limited code execution.
If Mitigated
No impact if packages are only installed from trusted, verified repositories with proper signature validation.
🎯 Exploit Status
Requires ability to modify RPM package headers and social engineering to get user to install package.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libdnf 0.60.1 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1932079
Restart Required: No
Instructions:
1. Update libdnf to version 0.60.1 or later using your distribution's package manager. 2. For Fedora/RHEL/CentOS: 'sudo dnf update libdnf'. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Use only trusted repositories
linuxConfigure package manager to only use verified, trusted repositories and disable third-party/unverified repos.
# Check current repos: dnf repolist
# Disable suspicious repos: dnf config-manager --disable <repo-id>
Verify package signatures manually
linuxManually verify RPM package signatures before installation using rpm command.
# Verify package signature: rpm --checksig package.rpm
# Check specific signature: rpm -Kv package.rpm
🧯 If You Can't Patch
- Restrict package installation to administrators only and implement approval workflows
- Implement network segmentation to isolate systems from untrusted package repositories
🔍 How to Verify
Check if Vulnerable:
Check libdnf version with: rpm -q libdnf --queryformat '%{VERSION}\n'Check Version:
rpm -q libdnfVerify Fix Applied:
Verify libdnf version is 0.60.1 or higher: rpm -q libdnf | grep -E '0\.6[0-9]\.[0-9]+|0\.([7-9]|[1-9][0-9]+)\.[0-9]+'📡 Detection & Monitoring
Log Indicators:
- Failed package signature verification in dnf/yum logs
- Package installations from unusual repositories
- Unexpected package installation events
Network Indicators:
- Connections to untrusted package repositories
- Downloads of RPM packages from unusual sources
SIEM Query:
source="dnf.log" AND ("signature verification failed" OR "package from untrusted repo")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1932079
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPMFGGQ5T6WVFTFX3OKMVTTM5O4EXWZR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4NL7TNWAHJ6JVRABQUPWHKKCTHUZMNF/
- https://bugzilla.redhat.com/show_bug.cgi?id=1932079
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPMFGGQ5T6WVFTFX3OKMVTTM5O4EXWZR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4NL7TNWAHJ6JVRABQUPWHKKCTHUZMNF/
