CVE-2021-3472 – CVE-2021-3472 is an integer underflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-3472?

CVE-2021-3472 has a CVSS score of 7.8 (HIGH). CVE-2021-3472 is an integer underflow vulnerability in xorg-x11-server that allows local attackers to escalate privileges on affected systems. This flaw enables attackers to gain root access from a standard user account, compromising data confidentiality, integrity, and system availability. Systems running X11 display servers with vulnerable versions are affected.

📋 TL;DR

CVE-2021-3472 is an integer underflow vulnerability in xorg-x11-server that allows local attackers to escalate privileges on affected systems. This flaw enables attackers to gain root access from a standard user account, compromising data confidentiality, integrity, and system availability. Systems running X11 display servers with vulnerable versions are affected.

💻 Affected Systems

Products:

xorg-x11-server
X.Org X Server

Versions: Versions before 1.20.11

Operating Systems: Linux distributions with X11, Unix-like systems with X11

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with X11 display server running. Systems without X11 or using Wayland are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges, allowing complete system compromise, data theft, persistence installation, and lateral movement.

🟠

Likely Case

Local user escalates to root privileges, enabling unauthorized access to sensitive data and system modification.

🟢

If Mitigated

With proper access controls and patching, impact is limited to denial of service at most.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing local access.

🏢 Internal Only: HIGH - Internal users with shell access can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and knowledge of the vulnerability. Proof-of-concept code has been published in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.11 and later

Vendor Advisory: https://lists.x.org/archives/xorg-announce/2021-April/003089.html

Restart Required: Yes

Instructions:

1. Update xorg-x11-server package using your distribution's package manager. 2. For Red Hat/CentOS: 'yum update xorg-x11-server'. 3. For Debian/Ubuntu: 'apt update && apt install xserver-xorg-core'. 4. Restart the X server or reboot the system.

🔧 Temporary Workarounds

Disable X11 if not needed

linux

Remove or disable X11 display server if the system doesn't require graphical interface

systemctl disable display-manager
systemctl set-default multi-user.target

Restrict local user access

all

Limit shell access to trusted users only

🧯 If You Can't Patch

Implement strict access controls to limit local user accounts
Monitor for privilege escalation attempts and unusual root activity

🔍 How to Verify

Check if Vulnerable:

Check xorg-x11-server version: 'Xorg -version' or 'rpm -q xorg-x11-server' or 'dpkg -l xserver-xorg-core'

Check Version:

Xorg -version 2>&1 | head -5

Verify Fix Applied:

Verify version is 1.20.11 or higher: 'Xorg -version 2>&1 | grep -i version'

📡 Detection & Monitoring

Log Indicators:

Sudden privilege escalation from user to root
Unusual X server crashes or restarts
Failed authentication attempts followed by successful root access

Network Indicators:

Local privilege escalation doesn't generate network traffic

SIEM Query:

source="auth.log" AND (event="session opened for user root" OR event="FAILED su")

📊 Metadata

CVE ID: CVE-2021-3472

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-191

Published: April 26, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/04/13/1 Mailing List,Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1944167 Issue Tracking,Patch,Third Party Advisory
https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00013.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDF7TAJE7NPZPNVOXSD5HBIFLNPUOD2V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO6S5OPXUDYBSRSVWVLFLJ6AFERG4HNY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N63KL3T22HNFT4FJ7VMVF6U5Q4RFJIQF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEXPCLMVU25AUZTUXC4MYBGPKOAIM5TW/
https://lists.x.org/archives/xorg-announce/2021-April/003080.html Mailing List,Patch,Vendor Advisory
https://lists.x.org/archives/xorg-announce/2021-April/003080.html Mailing List,Patch,Vendor Advisory
https://seclists.org/oss-sec/2021/q2/20 Mailing List,Patch,Third Party Advisory
https://security.gentoo.org/glsa/202104-02 Third Party Advisory
https://www.debian.org/security/2021/dsa-4893 Third Party Advisory
https://www.tenable.com/plugins/nessus/148701 Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-463/ Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2021/04/13/1 Mailing List,Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1944167 Issue Tracking,Patch,Third Party Advisory
https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00013.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDF7TAJE7NPZPNVOXSD5HBIFLNPUOD2V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO6S5OPXUDYBSRSVWVLFLJ6AFERG4HNY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N63KL3T22HNFT4FJ7VMVF6U5Q4RFJIQF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEXPCLMVU25AUZTUXC4MYBGPKOAIM5TW/
https://lists.x.org/archives/xorg-announce/2021-April/003080.html Mailing List,Patch,Vendor Advisory
https://lists.x.org/archives/xorg-announce/2021-April/003080.html Mailing List,Patch,Vendor Advisory
https://seclists.org/oss-sec/2021/q2/20 Mailing List,Patch,Third Party Advisory
https://security.gentoo.org/glsa/202104-02 Third Party Advisory
https://www.debian.org/security/2021/dsa-4893 Third Party Advisory
https://www.tenable.com/plugins/nessus/148701 Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-463/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3472, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

X Server by X.org

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable X11 if not needed

Restrict local user access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities