CVE-2021-40153 – This vulnerability in Squashfs-Tools allows dir... (How to Fix)

Q: What is the severity of CVE-2021-40153?

CVE-2021-40153 has a CVSS score of 8.1 (HIGH). This vulnerability in Squashfs-Tools allows directory traversal attacks during archive extraction. Attackers can craft malicious squashfs archives that write files outside the intended destination directory when unsquashfs processes them. Anyone using vulnerable versions of squashfs-tools to extract untrusted archives is affected.

📋 TL;DR

This vulnerability in Squashfs-Tools allows directory traversal attacks during archive extraction. Attackers can craft malicious squashfs archives that write files outside the intended destination directory when unsquashfs processes them. Anyone using vulnerable versions of squashfs-tools to extract untrusted archives is affected.

💻 Affected Systems

Products:

squashfs-tools

Versions: 4.5 and earlier versions

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using unsquashfs to extract archives are vulnerable by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary file write leading to remote code execution, system compromise, or data destruction by overwriting critical system files.

🟠

Likely Case

Local privilege escalation or arbitrary file write to sensitive locations when processing malicious archives.

🟢

If Mitigated

Limited to file writes within user's permissions if proper access controls exist, but still dangerous for privilege escalation.

🌐 Internet-Facing: MEDIUM - Requires user to download and process malicious archives, but common in automated systems.

🏢 Internal Only: HIGH - Internal users with access to upload/process archives could exploit for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires creating a malicious squashfs archive with directory traversal sequences in filenames.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5 with commit 79b5a555058eef4e1e7ff220c344d39f8cd09646 or later

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2021/08/msg00030.html

Restart Required: No

Instructions:

1. Update squashfs-tools package using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade squashfs-tools. 3. For Fedora: sudo dnf update squashfs-tools. 4. For source installations: pull latest from GitHub and rebuild.

🔧 Temporary Workarounds

Extract as unprivileged user

linux

Run unsquashfs with minimal privileges to limit damage scope

sudo -u nobody unsquashfs archive.squashfs

Use container isolation

linux

Extract archives in isolated containers to prevent host system access

docker run --rm -v $(pwd):/data alpine unsquashfs /data/archive.squashfs

🧯 If You Can't Patch

Only extract archives from trusted sources with verified integrity
Run unsquashfs in chroot or containerized environments with restricted filesystem access

🔍 How to Verify

Check if Vulnerable:

Check squashfs-tools version: unsquashfs -version | grep 'version'

Check Version:

unsquashfs -version

Verify Fix Applied:

Verify version is 4.5 with patch or later, or test with known malicious archive that should now be rejected

📡 Detection & Monitoring

Log Indicators:

Failed file writes outside expected directories
unsquashfs processes with unusual arguments

Network Indicators:

Downloads of squashfs archives followed by extraction processes

SIEM Query:

process.name='unsquashfs' AND file.path contains '../'

📊 Metadata

CVE ID: CVE-2021-40153

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: August 27, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1941790 Third Party Advisory
https://github.com/plougher/squashfs-tools/commit/79b5a555058eef4e1e7ff220c344d39f8cd09646 Patch,Third Party Advisory
https://github.com/plougher/squashfs-tools/issues/72 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/08/msg00030.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
https://security.gentoo.org/glsa/202305-29
https://www.debian.org/security/2021/dsa-4967 Third Party Advisory
https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1941790 Third Party Advisory
https://github.com/plougher/squashfs-tools/commit/79b5a555058eef4e1e7ff220c344d39f8cd09646 Patch,Third Party Advisory
https://github.com/plougher/squashfs-tools/issues/72 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/08/msg00030.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
https://security.gentoo.org/glsa/202305-29
https://www.debian.org/security/2021/dsa-4967 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40153, you might also want to check these: