Login Sign Up

CVE-2021-36795

7.8 HIGH

📋 TL;DR

A permission issue in the Cohesity Linux agent allows local privilege escalation. An underprivileged Linux user can gain additional privileges if certain environmental conditions are met. Affects Cohesity Linux agent versions 6.5.1b through 6.5.1d-hotfix10 and 6.6.0a through 6.6.0b-hotfix1.

💻 Affected Systems

Products:
  • Cohesity Linux Agent
Versions: 6.5.1b to 6.5.1d-hotfix10, 6.6.0a to 6.6.0b-hotfix1
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires specific environmental conditions to be met for exploitation.

📦 What is this software?

Linux Agent by Cohesity

View all CVEs affecting Linux Agent →

Linux Agent by Cohesity

View all CVEs affecting Linux Agent →

Linux Agent by Cohesity

View all CVEs affecting Linux Agent →

Linux Agent by Cohesity

View all CVEs affecting Linux Agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains root privileges on the system, enabling complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Local users escalate privileges to perform unauthorized administrative actions or access restricted data.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place to detect privilege escalation attempts.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local user access.
🏢 Internal Only: HIGH - Internal users with local access can exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local user access and specific environmental conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 6.5.1d-hotfix10 and 6.6.0b-hotfix1

Vendor Advisory: https://github.com/cohesity/SecAdvisory/blob/master/CVE-2021-36795.md

Restart Required: Yes

Instructions:

1. Update Cohesity Linux agent to version 6.5.1d-hotfix11 or later for 6.5.x branch. 2. Update to version 6.6.0b-hotfix2 or later for 6.6.x branch. 3. Restart the agent service after update.

🔧 Temporary Workarounds

Restrict Local User Access

linux

Limit local user accounts on systems running Cohesity Linux agent to reduce attack surface.

# Review and remove unnecessary local users
# Use 'userdel' command to remove users
# Implement least privilege access controls

🧯 If You Can't Patch

  • Implement strict access controls to limit local user privileges.
  • Monitor system logs for privilege escalation attempts and unauthorized access.

🔍 How to Verify

Check if Vulnerable:

Check Cohesity agent version using 'cohesity-agent --version' or similar command and compare against affected versions.

Check Version:

cohesity-agent --version

Verify Fix Applied:

Verify agent version is updated to patched version and test privilege escalation attempts fail.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation events
  • Failed or successful sudo/su attempts from non-admin users
  • Cohesity agent service restarts or permission changes

Network Indicators:

  • None - this is a local privilege escalation vulnerability

SIEM Query:

Search for events where user privilege level changes unexpectedly or Cohesity agent processes spawn with elevated privileges.

📊 Metadata

CVE ID: CVE-2021-36795
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-276
Published: August 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36795, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)