CVE-2021-40084 – CVE-2021-40084 is a critical vulnerability in o... (How to Fix)

Q: What is the severity of CVE-2021-40084?

CVE-2021-40084 has a CVSS score of 9.8 (CRITICAL). CVE-2021-40084 is a critical vulnerability in opensysusers (versions through 0.6) that allows remote code execution via shell injection in the GECOS field. Attackers can execute arbitrary commands with root privileges by crafting malicious sysusers.d configuration files. This affects systems using opensysusers for user management instead of systemd-sysusers.

📋 TL;DR

CVE-2021-40084 is a critical vulnerability in opensysusers (versions through 0.6) that allows remote code execution via shell injection in the GECOS field. Attackers can execute arbitrary commands with root privileges by crafting malicious sysusers.d configuration files. This affects systems using opensysusers for user management instead of systemd-sysusers.

💻 Affected Systems

Products:

opensysusers

Versions: All versions through 0.6

Operating Systems: Linux distributions using opensysusers (particularly Artix Linux)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using opensysusers instead of systemd-sysusers. The vulnerability exists in how opensysusers processes files in /etc/sysusers.d/ directory.

📦 What is this software?

Opensysusers by Artixlinux

View all CVEs affecting Opensysusers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level arbitrary code execution, allowing complete control over the affected system, data theft, and lateral movement.

🟠

Likely Case

Privilege escalation to root and installation of persistent backdoors or malware on vulnerable systems.

🟢

If Mitigated

Limited impact if proper file permissions prevent unauthorized writes to sysusers.d directory and if opensysusers is not used.

🌐 Internet-Facing: MEDIUM - Exploitation requires ability to write to sysusers.d directory, which typically requires some level of access, but web applications or services with file upload capabilities could facilitate this.

🏢 Internal Only: HIGH - Internal attackers with any level of access could exploit this to gain root privileges and compromise the entire system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or modify files in the sysusers.d directory. The vulnerability is in the eval() function handling shell metacharacters in configuration files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 0.7 and later

Vendor Advisory: https://github.com/artix-linux/opensysusers/releases

Restart Required: No

Instructions:

1. Update opensysusers to version 0.7 or later using your package manager. 2. For Artix Linux: 'pacman -Syu opensysusers'. 3. For other distributions: use appropriate package manager commands to update to patched version.

🔧 Temporary Workarounds

Replace opensysusers with systemd-sysusers

linux

Switch to systemd-sysusers which is not vulnerable to this issue and follows the same specification

# Remove opensysusers and install systemd-sysusers
pacman -R opensysusers
pacman -S systemd-sysusers

Restrict sysusers.d directory permissions

linux

Set strict permissions on /etc/sysusers.d/ to prevent unauthorized file creation/modification

chmod 700 /etc/sysusers.d/
chown root:root /etc/sysusers.d/

🧯 If You Can't Patch

Monitor /etc/sysusers.d/ directory for unauthorized file changes using file integrity monitoring
Implement strict access controls to prevent unauthorized users from writing to sysusers.d directory

🔍 How to Verify

Check if Vulnerable:

Check opensysusers version: 'opensysusers --version' or 'pacman -Qi opensysusers'. If version is 0.6 or earlier, system is vulnerable.

Check Version:

opensysusers --version || pacman -Qi opensysusers | grep Version

Verify Fix Applied:

Verify opensysusers version is 0.7 or later: 'opensysusers --version' should show 0.7+

📡 Detection & Monitoring

Log Indicators:

Unusual processes spawned from opensysusers execution
Unexpected file creation in /etc/sysusers.d/
Failed attempts to write to sysusers.d directory

Network Indicators:

Outbound connections from opensysusers process to unexpected destinations

SIEM Query:

process_name:"opensysusers" AND (command_line:"eval" OR command_line:"sh -c")

📊 Metadata

CVE ID: CVE-2021-40084

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: August 25, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.debian.org/992058 Exploit,Mailing List,Third Party Advisory
https://github.com/artix-linux/opensysusers/releases Release Notes,Third Party Advisory
https://bugs.debian.org/992058 Exploit,Mailing List,Third Party Advisory
https://github.com/artix-linux/opensysusers/releases Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40084, you might also want to check these: