CVE-2021-3626
📋 TL;DR
This vulnerability in Multipass for Windows allows any local process to connect to the control socket and mount host directories into guest VMs, enabling privilege escalation. It affects Windows users running Multipass versions before 1.7.0. Attackers could gain elevated privileges by manipulating mounts from the host system.
💻 Affected Systems
- Multipass
📦 What is this software?
Multipass by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full administrative privileges on the host system by mounting sensitive directories into a controlled guest VM and extracting credentials or executing arbitrary code.
Likely Case
Local user escalates privileges to perform unauthorized actions, access restricted files, or compromise other user accounts on the same system.
If Mitigated
Limited impact if proper access controls restrict local user accounts and monitoring detects unusual mount activity.
🎯 Exploit Status
Exploitation requires local access but is straightforward once an attacker can run code on the system. The vulnerability is well-documented in the public pull request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://github.com/canonical/multipass/pull/2150
Restart Required: Yes
Instructions:
1. Stop all Multipass instances. 2. Download and install Multipass 1.7.0 or later from the official repository. 3. Restart the Multipass service. 4. Verify the version with 'multipass version'.
🔧 Temporary Workarounds
Disable Multipass Service
windowsTemporarily disable the Multipass service to prevent exploitation until patching is possible.
Stop-Service -Name Multipass
Set-Service -Name Multipass -StartupType Disabled
Restrict Local User Access
windowsImplement strict access controls to limit which local users can run processes on affected systems.
🧯 If You Can't Patch
- Remove Multipass from systems where it is not essential for operations
- Implement network segmentation and restrict lateral movement from potentially compromised systems
🔍 How to Verify
Check if Vulnerable:
Check Multipass version with 'multipass version' command. If version is below 1.7.0, the system is vulnerable.Check Version:
multipass versionVerify Fix Applied:
Run 'multipass version' and confirm version is 1.7.0 or higher. Test that mounts still work properly for authorized users.📡 Detection & Monitoring
Log Indicators:
- Unusual mount operations in Multipass logs
- Multiple failed authentication attempts to Multipass control socket
- Processes connecting to Multipass socket from unexpected user accounts
Network Indicators:
- Local connections to Multipass control socket (typically localhost:XXXX)
- Unusual network activity from Multipass guest VMs
SIEM Query:
ProcessName="multipass" AND (EventID=4688 OR EventID=4689) AND CommandLine CONTAINS "mount"