CVE-2021-38172 – CVE-2021-38172 is a buffer overflow vulnerabili... (How to Fix)

📋 TL;DR

CVE-2021-38172 is a buffer overflow vulnerability in perM 0.4.0 caused by improper use of strncpy. This allows attackers to execute arbitrary code or cause denial of service. Users running perM 0.4.0 on Debian systems are affected.

💻 Affected Systems

Products:

perM

Versions: 0.4.0 (specifically versions before 0.4.0-7 on Debian)

Operating Systems: Debian Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects Debian's packaging of perM 0.4.0 before version 0.4.0-7.

📦 What is this software?

Perm by Debian

View all CVEs affecting Perm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service causing application crashes and service disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal privileges.

🌐 Internet-Facing: HIGH - Buffer overflow vulnerabilities can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Buffer overflow exploitation requires specific conditions but strncpy vulnerabilities are well-understood attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.0-7 (Debian package version)

Vendor Advisory: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993019

Restart Required: Yes

Instructions:

1. Update Debian system: sudo apt update && sudo apt upgrade
2. Specifically update perM: sudo apt install --only-upgrade perm
3. Restart any services using perM

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to perM services to trusted networks only

sudo ufw deny from any to any port [PERM_PORT]
sudo iptables -A INPUT -p tcp --dport [PERM_PORT] -j DROP

Process Sandboxing

linux

Run perM with minimal privileges using containerization or sandboxing

docker run --read-only --cap-drop=ALL [PERM_IMAGE]
firejail --private --net=none perm

🧯 If You Can't Patch

Remove perM from internet-facing systems and restrict to internal networks only
Implement strict network segmentation and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check perM version: dpkg -l | grep perm

Check Version:

dpkg -s perm | grep Version

Verify Fix Applied:

Verify installed version is 0.4.0-7 or higher: dpkg -s perm | grep Version

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors in system logs
Unexpected process termination of perM
Memory access violation messages

Network Indicators:

Unusual network traffic patterns to perM ports
Repeated connection attempts with malformed data

SIEM Query:

source="system" ("segmentation fault" OR "SIGSEGV") AND process="perm"

📊 Metadata

CVE ID: CVE-2021-38172

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: February 5, 2022

Last Updated: November 21, 2024

🔗 References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993019 Exploit,Vendor Advisory
https://lists.debian.org/debian-med/2021/08/msg00016.html Mailing List,Vendor Advisory
https://packages.qa.debian.org/p/perm.html Issue Tracking,Patch,Vendor Advisory
https://salsa.debian.org/med-team/perm/-/commits/master/ Patch,Vendor Advisory
https://tracker.debian.org/pkg/perm Issue Tracking,Patch,Vendor Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993019 Exploit,Vendor Advisory
https://lists.debian.org/debian-med/2021/08/msg00016.html Mailing List,Vendor Advisory
https://packages.qa.debian.org/p/perm.html Issue Tracking,Patch,Vendor Advisory
https://salsa.debian.org/med-team/perm/-/commits/master/ Patch,Vendor Advisory
https://tracker.debian.org/pkg/perm Issue Tracking,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38172, you might also want to check these: