CVE-2021-23177 Overview
CVE-2021-23177 is a symlink attack vulnerability (CWE-59: Improper Link Resolution Before File Access) affecting libarchive, a widely-used multi-format archive and compression library. The vulnerability exists in the archive extraction functionality, where improper handling of symbolic links allows an attacker to manipulate the Access Control List (ACL) of arbitrary files on the target system.
When a victim user extracts a maliciously crafted archive, the extraction process follows symbolic links without proper validation, allowing the attacker to modify ACLs of files outside the intended extraction directory. This can lead to local privilege escalation by granting unauthorized access to sensitive system files or executables.
Critical Impact
Local attackers can exploit this vulnerability to escalate privileges by manipulating file ACLs during archive extraction, potentially gaining unauthorized access to protected system resources.
Affected Products
- libarchive libarchive (all versions prior to the security patch)
- Red Hat Enterprise Linux 8.0 and 8.6 EUS
- Red Hat Enterprise Linux for IBM z Systems 8.0 and 8.6 EUS
- Red Hat Enterprise Linux for Power Little Endian 8.0 and 8.6 EUS
- Red Hat Enterprise Linux Server AUS 8.6
- Red Hat Enterprise Linux Server TUS 8.6
- Red Hat CodeReady Linux Builder
- Fedora 35
- Debian Linux 10.0
Discovery Timeline
- 2022-08-23 - CVE-2021-23177 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23177
Vulnerability Analysis
This vulnerability stems from improper link resolution in libarchive's archive extraction routines. When extracting archives containing symbolic links, the library fails to properly validate whether ACL operations should be applied to the symbolic link itself or to the target file the link points to. This creates a Time-of-Check to Time-of-Use (TOCTOU) condition where an attacker can craft an archive that, during extraction, modifies the ACLs of unintended target files.
The attack requires local access and user interaction (the victim must extract the malicious archive), but once triggered, it can result in complete compromise of file confidentiality, integrity, and availability on the affected system. The vulnerability affects both FreeBSD and Linux implementations of the ACL handling code within libarchive.
Root Cause
The root cause lies in the set_acl() function implementations across multiple platform-specific ACL handlers (archive_disk_acl_freebsd.c and archive_disk_acl_linux.c). These functions did not properly check whether the target file was a symbolic link before applying ACL modifications. On Linux systems specifically, RichACLs operations were applied without verifying the file type, despite the fact that Linux does not support RichACLs on symbolic links.
Attack Vector
An attacker crafts a malicious archive containing a symbolic link pointing to a target file (such as /etc/shadow, system binaries, or configuration files). The archive structure is designed so that when extracted by a victim user, the ACL modification operations follow the symlink and are applied to the target file rather than the link itself. This allows the attacker to:
- Grant themselves read/write permissions to sensitive files
- Remove restrictive ACLs from protected system files
- Escalate privileges by modifying executable permissions
The following patches demonstrate the security fix implemented to address this vulnerability:
// Fix handling of symbolic link ACLs - FreeBSD implementation
static int
set_acl(struct archive *a, int fd, const char *name,
- struct archive_acl *abstract_acl,
+ struct archive_acl *abstract_acl, __LA_MODE_T mode,
int ae_requested_type, const char *tname)
{
int acl_type = 0;
Source: GitHub Commit for libarchive
// Fix handling of symbolic link ACLs - Linux implementation
if (S_ISLNK(mode)) {
/* Linux does not support RichACLs on symbolic links */
return (ARCHIVE_OK);
}
richacl = richacl_alloc(entries);
if (richacl == NULL) {
archive_set_error(a, errno,
Source: GitHub Commit for libarchive
The fix adds a mode parameter to the set_acl() function and implements explicit checks using S_ISLNK(mode) to detect symbolic links. When a symbolic link is detected, the function now returns early without attempting ACL operations, preventing the exploitation vector.
Detection Methods for CVE-2021-23177
Indicators of Compromise
- Unexpected changes to file ACLs, particularly on sensitive system files such as /etc/shadow, /etc/passwd, or system binaries
- Presence of archive files containing symbolic links pointing to system directories or protected files
- Unusual extraction activities from untrusted archive sources by privileged users
- Modified ACL entries granting unexpected users access to restricted files
Detection Strategies
- Monitor file system ACL changes using auditd rules targeting setxattr and setfacl system calls
- Implement file integrity monitoring (FIM) on critical system files to detect unauthorized ACL modifications
- Analyze archive contents before extraction using tools that can identify suspicious symbolic link targets
- Deploy endpoint detection to alert on libarchive processes modifying files outside expected directories
Monitoring Recommendations
- Configure SentinelOne Singularity to monitor for suspicious archive extraction patterns and subsequent ACL modifications
- Enable audit logging for ACL-related system calls on Linux systems using auditctl -w /etc/ -p a
- Implement YARA rules to detect archives containing symbolic links to sensitive system paths
- Monitor for processes invoking libarchive functions followed by ACL modifications to unrelated files
How to Mitigate CVE-2021-23177
Immediate Actions Required
- Update libarchive to the latest patched version containing commit fba4f123cc456d2b2538f811bb831483bf336bad
- Restrict archive extraction to dedicated sandboxed environments or containers
- Educate users about the risks of extracting archives from untrusted sources
- Review and audit recent ACL changes on critical system files for signs of compromise
Patch Information
The vulnerability has been addressed in the upstream libarchive repository. The fix is available in the GitHub Commit for libarchive. Distribution-specific patches are available from:
- Red Hat: See Red Hat CVE-2021-23177 Advisory and Red Hat Bug Report #2024245
- Debian: See Debian LTS Announcement
- Fedora: Updates available through standard package repositories
For additional technical details, refer to GitHub Issue #1565 for libarchive.
Workarounds
- Extract archives as an unprivileged user in an isolated directory without symbolic link permissions
- Use archive extraction tools that provide options to ignore or skip symbolic links during extraction
- Implement mandatory access control (MAC) policies using SELinux or AppArmor to restrict ACL modifications
- Pre-scan archives with security tools to identify and reject archives containing suspicious symbolic link structures
# Configuration example - Restrict symbolic link handling during extraction
# Use bsdtar with safeguards
bsdtar -xf archive.tar --no-same-permissions --no-acls
# Audit ACL changes on sensitive directories
auditctl -w /etc -p a -k acl_changes
auditctl -w /usr/bin -p a -k acl_changes
# Scan archive for suspicious symlinks before extraction
bsdtar -tvf archive.tar | grep "^l" | grep -E "(etc|passwd|shadow|bin)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
