The Virtuozzo R&D team has recently discovered and reported a vulnerability in the XFS file system, the default file system for Red Hat Linux Enterprise (RHEL).
The vulnerability has been assigned the CVE-2021-4155 code. A fix has already been developed and submitted by the Virtuozzo team.
This post describes the vulnerability, what impact (if any) it has on Virtuozzo products, and how to apply the fix if required.
If you’re reading this and you are NOT a Virtuozzo customer, we strongly advise that you check your own RHEL environments, check with your IT team, or talk to your hosting or cloud provider to ensure that the correct steps have been taken to mitigate this vulnerability.
Vulnerability Details
The vulnerability allows an attacker to gain unrestricted access to certain XFS file system blocks from unprivileged user accounts.
It does not allow direct access to files on vulnerable XFS file systems. It does, however, allow access to blocks related to the files that have become unused by the XFS file system:
- Blocks of previously removed files
- Blocks of previously defragmented files
- Blocks of previously deduplicated files
An attacker must first gain access to a Linux system running the XFS file system before they can use the exploit.
Information about the Security Fix
A security fix has been developed by Virtuozzo, and submitted to upstream.
Users of Virtuozzo Hybrid Server 7, Virtuozzo Hybrid Infrastructure, and ReadyKernel will automatically receive the fix via a ReadyKernel security patch with no restart required.
The VzLinux 8 repository already includes the fixed kernel, so customers just need to install the latest kernel and reboot the instance.
If you have physical or virtual servers running other Linux distributions, you should check the security updates and add the fix yourself.
Information for Virtuozzo Partners and Customers
- By default, Virtuozzo Hybrid Infrastructure (all versions), Virtuozzo Hybrid Server (7 and newer, 7.5 and newer), and Virtuozzo 6 installations do not use XFS file systems
- Virtuozzo Hybrid Infrastructure installations (all versions) are not vulnerable, unless they have additional XFS file systems mounted on them
- Virtuozzo Hybrid Server installations - v7 and newer, v7.5 and newer - are not vulnerable, unless they have additional XFS file systems mounted on them
- Virtuozzo 6 installations (all versions) are not vulnerable, unless they have additional XFS file systems mounted on them
- Virtual machines with XFS file systems are vulnerable to the exploit
- Containers with XFS file systems are vulnerable to the exploit
- Compromised containers and virtual machines do not pose any threat to host systems
- Attackers cannot gain access to the host file system, or to file systems of other virtual machines and containers running on the same host, or neighbouring hosts
How to Check if Additional XFS File Systems are Mounted
In order to check if your installation is vulnerable because of additional XFS file systems mounted, log in to every host node in the environment, using SSH or other means, and execute the following command:
# grep xfs /proc/mounts | grep -v ploop
If the output of the command is empty, the node is safe from the vulnerability.
If the output of the command is not empty, then your file system is at risk.
For example, the output can include:
# grep xfs /proc/mounts | grep -v ploop
/dev/sda4 /var/log xfs rw,relatime,attr2,discard,inode64,noquota 0 0
In this case, you need to make sure that the security fix has been applied, or apply the fix manually if you need to. Follow the instructions below.
How to Check if the Security Fix is Applied
For Virtuozzo Hybrid Server, Virtuozzo Hybrid Infrastructure and ReadyKernel users:
The fix is included in v138 set of ReadyKernel patches. Check if it is already installed on your system by running 'readykernel info' command.
The output must indicate that ReadyKernel patch version 138 is installed.
Sample output:
# readykernel infoPatch name: readykernel-patch-183.5-138.0-1.vl7Patch module: kpatch_cumulative_138_0_r1File: /var/lib/kpatch/3.10.0-1160.41.1.vz7.183.5/kpatch-cumulative-138-0-r1.koVersion: 138.0
For VZLinux 8 users:
The fix is included in the kernel version 4.18.0-348.7.1. Check that you are running this kernel with 'uname -r'. Sample output:
# uname -r
vzlinux8 4.18.0-348.7.1.vl8.1.x86_64
If your system does not have the correct ReadyKernel patch or kernel version, please follow the instructions below.
How to Apply the Security Fix Manually (if required)
For Virtuozzo Hybrid Server, Virtuozzo Hybrid Infrastructure and ReadyKernel users:
If you have disabled automatic ReadyKernel updates, then the security fix should be applied manually by following these steps:
1. Check the kernel version with 'uname -r'
ReadyKernel updates with the fix are only provided for the following kernels:
3.10.0-1127.8.2.vz7.151.14
3.10.0-1127.8.2.vz7.158.8
3.10.0-1127.18.2.vz7.163.46
3.10.0-1160.21.1.vz7.174.13
3.10.0-1160.41.1.vz7.183.5
2. Run 'readykernel update'
If the currently used kernel version is one of the versions listed above, 'readykernel update' will install and enable the appropriate update.
For VZLinux 8 users:
Install the latest updates by running 'yum update' and reboot your system.
More information
The Virtuozzo team keeps tracking and improving our products to make sure your projects are running in secure and reliable environments. Feel free to share your feedback or request assistance by contacting us at https://www.virtuozzo.com/support
