CVE-2021-3747 – This vulnerability in Multipass for macOS allow... (How to Fix)

Q: What is the severity of CVE-2021-3747?

CVE-2021-3747 has a CVSS score of 8.8 (HIGH). This vulnerability in Multipass for macOS allows local privilege escalation due to incorrect directory ownership. An attacker with local access can modify application files to execute arbitrary code with elevated privileges. Only macOS users running Multipass version 1.7.0 are affected.

📋 TL;DR

This vulnerability in Multipass for macOS allows local privilege escalation due to incorrect directory ownership. An attacker with local access can modify application files to execute arbitrary code with elevated privileges. Only macOS users running Multipass version 1.7.0 are affected.

💻 Affected Systems

Products:

Multipass

Versions: Version 1.7.0 only

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects macOS installations of Multipass. Windows and Linux versions are not vulnerable.

📦 What is this software?

Multipass by Canonical

View all CVEs affecting Multipass →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation leading to root access, data theft, and persistent backdoor installation.

🟠

Likely Case

Local attacker gains elevated privileges to modify system files, install malware, or access sensitive data from other user accounts.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, though privilege escalation risk remains.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Any compromised user account on affected systems can escalate privileges to compromise the entire system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system. The vulnerability is straightforward to exploit once local access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.2

Vendor Advisory: https://github.com/canonical/multipass/issues/2261

Restart Required: No

Instructions:

1. Update Multipass to version 1.7.2 or later. 2. Run: brew upgrade multipass (if installed via Homebrew). 3. Alternatively, download the latest version from the official Multipass releases page.

🔧 Temporary Workarounds

Manual directory ownership correction

macos

Manually set correct ownership on Multipass application directories

sudo chown -R root:wheel /Applications/Multipass.app
sudo chmod -R 755 /Applications/Multipass.app

🧯 If You Can't Patch

Restrict local access to affected systems and implement strict user privilege separation
Monitor for unauthorized file modifications in Multipass application directories

🔍 How to Verify

Check if Vulnerable:

Check Multipass version: multipass version. If output shows 1.7.0, system is vulnerable.

Check Version:

multipass version

Verify Fix Applied:

After update, verify version is 1.7.2 or later: multipass version. Also check directory ownership: ls -la /Applications/Multipass.app

📡 Detection & Monitoring

Log Indicators:

Unauthorized file modifications in /Applications/Multipass.app directory
Unexpected privilege escalation attempts

Network Indicators:

None - this is a local privilege escalation vulnerability

SIEM Query:

Process creation events showing unexpected privilege escalation or file modification in Multipass directories

📊 Metadata

CVE ID: CVE-2021-3747

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-732

Published: October 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/canonical/multipass/issues/2261 Issue Tracking,Patch,Third Party Advisory
https://github.com/canonical/multipass/issues/2261 Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3747, you might also want to check these: