CVE-2021-41387
📋 TL;DR
CVE-2021-41387 is a privilege escalation vulnerability in seatd-launch component of seatd (a seat management daemon for Wayland compositors). It allows local attackers to gain root privileges because the setuid-root binary uses execlp() without proper path validation. This affects systems with seatd installed and configured with setuid permissions.
💻 Affected Systems
- seatd
📦 What is this software?
Seatd by Seatd Project
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, persistence installation, and lateral movement.
Likely Case
Local user with shell access escalates to root privileges, gaining administrative control over the system.
If Mitigated
No privilege escalation possible if seatd-launch is not installed setuid root or if patched version is used.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is in path handling when using execlp(), allowing PATH manipulation attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.2
Vendor Advisory: https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CGJ2IZQ.HCKS1J0LSI803%40kl.wtf%3E
Restart Required: No
Instructions:
1. Update seatd to version 0.6.2 or later. 2. For package managers: 'sudo apt update && sudo apt upgrade seatd' or equivalent. 3. For source installation: Download latest release from https://git.sr.ht/~kennylevinsen/seatd and rebuild.
🔧 Temporary Workarounds
Remove setuid bit
linuxRemove setuid permissions from seatd-launch binary to prevent privilege escalation
sudo chmod u-s /usr/local/bin/seatd-launch
Uninstall seatd
linuxRemove seatd package if not required for system functionality
sudo apt remove seatd
sudo yum remove seatd
sudo pacman -R seatd
🧯 If You Can't Patch
- Remove setuid permissions from seatd-launch binary using 'sudo chmod u-s /path/to/seatd-launch'
- Implement strict access controls to limit local user access to systems with vulnerable seatd installation
🔍 How to Verify
Check if Vulnerable:
Check seatd version with 'seatd --version' or 'dpkg -l | grep seatd' and verify if seatd-launch has setuid bit: 'ls -la /usr/local/bin/seatd-launch | grep rws'Check Version:
seatd --version 2>/dev/null || dpkg -l | grep seatd || rpm -q seatd || pacman -Q seatdVerify Fix Applied:
Confirm seatd version is 0.6.2 or later and seatd-launch does not have setuid bit or uses proper path validation📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts
- seatd-launch execution with manipulated PATH environment
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
process.name:"seatd-launch" AND user.name!="root" AND process.parent.name!="seatd"