CVE-2021-40348 – CVE-2021-40348 is a code injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-40348?

CVE-2021-40348 has a CVSS score of 8.8 (HIGH). CVE-2021-40348 is a code injection vulnerability in Spacewalk 2.10 and Uyuni 2021.08 that allows attackers to append arbitrary code to root-owned files via the rhn-config-satellite.pl script. This affects systems where the script runs with tomcat user privileges via sudo, potentially leading to remote code execution as root. Organizations using Spacewalk or Uyuni for systems management are vulnerable.

📋 TL;DR

CVE-2021-40348 is a code injection vulnerability in Spacewalk 2.10 and Uyuni 2021.08 that allows attackers to append arbitrary code to root-owned files via the rhn-config-satellite.pl script. This affects systems where the script runs with tomcat user privileges via sudo, potentially leading to remote code execution as root. Organizations using Spacewalk or Uyuni for systems management are vulnerable.

💻 Affected Systems

Products:

Spacewalk
Uyuni

Versions: Spacewalk 2.10, Uyuni 2021.08 and earlier

Operating Systems: Linux distributions running Spacewalk/Uyuni

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when rhn-config-satellite.pl runs with tomcat user via sudo as per default installation setup.

📦 What is this software?

Spacewalk by Spacewalk Project

View all CVEs affecting Spacewalk →

Uyuni by Uyuni Project

View all CVEs affecting Uyuni →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level code execution, allowing complete control over affected systems, data theft, and lateral movement within the network.

🟠

Likely Case

Privilege escalation from tomcat user to root, enabling installation of backdoors, credential theft, and persistence mechanisms.

🟢

If Mitigated

Limited impact if proper sudo restrictions and file permissions prevent unauthorized script execution.

🌐 Internet-Facing: MEDIUM - Requires authenticated access to tomcat user or sudo privileges, but web interfaces could provide initial access vectors.

🏢 Internal Only: HIGH - Internal attackers with tomcat access or sudo privileges can easily exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to execute the vulnerable script with appropriate privileges. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Uyuni spacewalk-admin 4.3.2-1 or later

Vendor Advisory: http://www.openwall.com/lists/oss-security/2021/10/28/4

Restart Required: Yes

Instructions:

1. Update to Uyuni spacewalk-admin 4.3.2-1 or later. 2. Apply vendor patches for Spacewalk 2.10. 3. Restart affected services. 4. Verify the fix by checking version and testing functionality.

🔧 Temporary Workarounds

Restrict sudo permissions

linux

Remove or restrict sudo permissions for tomcat user to execute rhn-config-satellite.pl

sudo visudo
# Remove or comment out tomcat user's sudo access to rhn-config-satellite.pl

File permission hardening

linux

Set strict permissions on rhn-config-satellite.pl to prevent unauthorized execution

sudo chmod 750 /usr/bin/rhn-config-satellite.pl
sudo chown root:root /usr/bin/rhn-config-satellite.pl

🧯 If You Can't Patch

Implement strict sudo restrictions to prevent tomcat user from executing vulnerable scripts
Monitor and audit all executions of rhn-config-satellite.pl and related processes

🔍 How to Verify

Check if Vulnerable:

Check if running Spacewalk 2.10 or Uyuni 2021.08 or earlier, and verify rhn-config-satellite.pl exists with tomcat sudo permissions.

Check Version:

rpm -q spacewalk-admin && spacewalk --version

Verify Fix Applied:

Verify spacewalk-admin version is 4.3.2-1 or later: rpm -q spacewalk-admin

📡 Detection & Monitoring

Log Indicators:

Unauthorized execution of rhn-config-satellite.pl
Sudo logs showing tomcat user executing the script
Unexpected file modifications in system directories

Network Indicators:

Unusual outbound connections from Spacewalk/Uyuni servers
Anomalous SSH or remote access patterns

SIEM Query:

source="sudo.log" AND user="tomcat" AND command="rhn-config-satellite.pl"

📊 Metadata

CVE ID: CVE-2021-40348

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: November 1, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/10/28/4 Exploit,Mailing List,Patch,Third Party Advisory
https://github.com/uyuni-project/uyuni/commit/790c7388efac6923c5475e01c1ff718dffa9f052 Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/10/28/4 Exploit,Mailing List,Patch,Third Party Advisory
https://github.com/uyuni-project/uyuni/commit/790c7388efac6923c5475e01c1ff718dffa9f052 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40348, you might also want to check these: