CVE-2021-4197
📋 TL;DR
This Linux kernel vulnerability allows a local unprivileged user to write to file handlers in the cgroups subsystem, potentially leading to system crashes or privilege escalation. It affects both cgroup1 and cgroup2 implementations. Any Linux system using affected kernel versions is vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Brocade Fabric Operating System Firmware by Broadcom
View all CVEs affecting Brocade Fabric Operating System Firmware →
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via privilege escalation to root, allowing complete control over the system and potential data exfiltration.
Likely Case
Local privilege escalation allowing attackers to gain root access from an unprivileged user account.
If Mitigated
Limited impact if proper access controls restrict local user accounts and kernel is patched.
🎯 Exploit Status
Exploit requires local access and understanding of cgroups subsystem. Proof-of-concept code has been published in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions 5.15.11, 5.14.14, 5.10.75, 5.4.157, 4.19.218 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2035652
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version via distribution package manager. 2. For RHEL/CentOS: 'yum update kernel'. 3. For Ubuntu/Debian: 'apt update && apt upgrade linux-image'. 4. Reboot system to load new kernel.
🔧 Temporary Workarounds
Restrict local user access
linuxLimit local user accounts and implement strict access controls to reduce attack surface
Disable unnecessary cgroup features
linuxDisable cgroup features not required for system operation
echo 0 > /proc/sys/kernel/unprivileged_userns_clone
🧯 If You Can't Patch
- Implement strict access controls to limit local user accounts
- Monitor system logs for privilege escalation attempts and unusual cgroup activity
🔍 How to Verify
Check if Vulnerable:
Check kernel version with 'uname -r' and compare against affected versions. Vulnerable if version is before 5.15.11, 5.14.14, 5.10.75, 5.4.157, or 4.19.218.Check Version:
uname -rVerify Fix Applied:
After patching, verify kernel version with 'uname -r' shows patched version and check that system operates normally.📡 Detection & Monitoring
Log Indicators:
- Unusual cgroup operations in kernel logs
- Failed privilege escalation attempts
- Unexpected process creation with elevated privileges
Network Indicators:
- Not applicable - local exploit only
SIEM Query:
source="kernel" AND ("cgroup" OR "privilege escalation")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2035652
- https://lore.kernel.org/lkml/20211209214707.805617-1-tj%40kernel.org/T/
- https://security.netapp.com/advisory/ntap-20220602-0006/
- https://www.debian.org/security/2022/dsa-5127
- https://www.debian.org/security/2022/dsa-5173
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2035652
- https://lore.kernel.org/lkml/20211209214707.805617-1-tj%40kernel.org/T/
- https://security.netapp.com/advisory/ntap-20220602-0006/
- https://www.debian.org/security/2022/dsa-5127
- https://www.debian.org/security/2022/dsa-5173
- https://www.oracle.com/security-alerts/cpujul2022.html
