CVE-2021-3621 – CVE-2021-3621 is a command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-3621?

CVE-2021-3621 has a CVSS score of 8.8 (HIGH). CVE-2021-3621 is a command injection vulnerability in SSSD's sssctl command that allows attackers to execute arbitrary shell commands with root privileges. This occurs when root users run specially crafted sssctl commands via logs-fetch or cache-expire subcommands. Systems using SSSD with vulnerable versions are affected.

📋 TL;DR

CVE-2021-3621 is a command injection vulnerability in SSSD's sssctl command that allows attackers to execute arbitrary shell commands with root privileges. This occurs when root users run specially crafted sssctl commands via logs-fetch or cache-expire subcommands. Systems using SSSD with vulnerable versions are affected.

💻 Affected Systems

Products:

SSSD (System Security Services Daemon)

Versions: Versions before 2.6.0

Operating Systems: Linux distributions including RHEL, CentOS, Fedora, Debian, Ubuntu

Default Config Vulnerable: ⚠️ Yes

Notes: Requires sssctl to be executable by users who can be tricked into running malicious commands, often via sudo configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing complete control over confidentiality, integrity, and availability.

🟠

Likely Case

Privilege escalation to root by tricking administrators into running malicious sssctl commands via sudo or other mechanisms.

🟢

If Mitigated

Limited impact if proper access controls restrict who can run sssctl and command arguments are validated.

🌐 Internet-Facing: LOW - Requires local access or ability to trick authenticated users into running commands.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering or compromised accounts to trick users into running malicious sssctl commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SSSD 2.6.0 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1975142

Restart Required: No

Instructions:

1. Update SSSD to version 2.6.0 or later using your distribution's package manager. 2. For RHEL/CentOS: 'yum update sssd'. 3. For Debian/Ubuntu: 'apt update && apt upgrade sssd'. 4. Verify the update with 'sssd --version'.

🔧 Temporary Workarounds

Restrict sssctl command execution

linux

Limit which users can execute sssctl commands via sudo or other mechanisms

Review and modify sudoers file to restrict sssctl access
Remove sssctl from sudo configurations for non-admin users

Input validation wrapper

linux

Create a wrapper script that validates sssctl command arguments before execution

Create script that sanitizes input to logs-fetch and cache-expire subcommands

🧯 If You Can't Patch

Restrict sudo access to sssctl commands to trusted administrators only
Implement strict input validation for any scripts or tools that call sssctl

🔍 How to Verify

Check if Vulnerable:

Check SSSD version with 'sssd --version' or 'rpm -q sssd' or 'dpkg -l sssd'

Check Version:

sssd --version

Verify Fix Applied:

Confirm version is 2.6.0 or later with 'sssd --version'

📡 Detection & Monitoring

Log Indicators:

Unusual sssctl command executions with suspicious arguments
Shell command execution following sssctl logs-fetch or cache-expire

Network Indicators:

None - this is a local command injection vulnerability

SIEM Query:

Process execution where command contains 'sssctl' AND (command contains 'logs-fetch' OR command contains 'cache-expire') AND arguments contain shell metacharacters

📊 Metadata

CVE ID: CVE-2021-3621

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: December 23, 2021

Last Updated: November 3, 2025

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1975142 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html Third Party Advisory
https://sssd.io/release-notes/sssd-2.6.0.html Release Notes,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1975142 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/02/msg00008.html
https://sssd.io/release-notes/sssd-2.6.0.html Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3621, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Fedora by Fedoraproject

Sssd by Fedoraproject

Virtualization by Redhat

Virtualization Host by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict sssctl command execution

Input validation wrapper

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities