CVE-2021-35937 Overview
A race condition vulnerability was discovered in RPM (Red Hat Package Manager), the widely-used package management system for Linux distributions. This flaw allows a local unprivileged user to exploit a Time-of-Check Time-of-Use (TOCTOU) race condition to bypass security checks that were previously implemented to address CVE-2017-7500 and CVE-2017-7501, potentially leading to root privilege escalation.
Critical Impact
Local attackers can exploit this race condition to gain root privileges, compromising data confidentiality, integrity, and system availability on affected Linux systems.
Affected Products
- RPM Package Manager (all vulnerable versions prior to 4.18.0)
- Red Hat Enterprise Linux 6.0, 7.0, 8.0, and 9.0
- Fedora 34
Discovery Timeline
- 2022-08-25 - CVE-2021-35937 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-35937
Vulnerability Analysis
This vulnerability represents a classic Time-of-Check Time-of-Use (TOCTOU) race condition (CWE-367) combined with improper link resolution (CWE-59). The flaw exists in how RPM handles file operations during package installation, where a window of opportunity exists between when a file path is verified and when it is actually used.
The vulnerability bypasses security mitigations that were previously introduced to address similar symlink-based attacks (CVE-2017-7500 and CVE-2017-7501). An attacker with local access can manipulate filesystem objects during the race window to redirect file operations to privileged locations, ultimately achieving arbitrary file writes with root privileges.
The attack requires local access and high privileges to initiate, but the complexity lies in successfully winning the race condition. When successfully exploited, an attacker can achieve complete system compromise including arbitrary code execution as root.
Root Cause
The root cause stems from improper handling of symbolic links and hard links during RPM package installation operations. RPM performs security checks on file paths before writing package contents, but a timing gap exists between the check and the actual file operation. During this window, an attacker can substitute a legitimate path with a symbolic link pointing to a privileged system location, bypassing the initial security validation.
This represents both a symlink following vulnerability (CWE-59) and a TOCTOU race condition (CWE-367), where the security properties of a resource change between verification and use.
Attack Vector
The attack requires local access to the target system. An attacker must:
- Identify an RPM installation or upgrade operation in progress
- Monitor the filesystem for the timing window between security checks and file writes
- Create a symbolic link during this window that redirects the file write to a privileged location
- Successfully win the race condition to have their symlink processed instead of the legitimate target
Due to the local attack vector and the need to precisely time the race condition, exploitation requires persistence and multiple attempts. However, successful exploitation results in root privilege escalation with full impact to confidentiality, integrity, and availability.
For detailed technical analysis of race condition exploitation techniques in package managers, refer to the USENIX Security Paper on related attack methodologies.
Detection Methods for CVE-2021-35937
Indicators of Compromise
- Unexpected symbolic links created in /var/lib/rpm/ or package staging directories during installation
- Rapid file creation and deletion patterns during RPM operations indicating race condition attempts
- Unexpected file modifications in privileged directories coinciding with package installation timestamps
- Process tracing showing suspicious timing between stat() and open() syscalls on package files
Detection Strategies
- Monitor for anomalous symlink creation activity during package management operations using filesystem auditing
- Deploy behavioral detection rules that flag rapid filesystem object manipulation during rpm process execution
- Implement auditd rules to track symlink creation in RPM working directories
- Use inotify-based monitoring to detect suspicious filesystem changes during package operations
Monitoring Recommendations
- Enable detailed filesystem auditing for /var/lib/rpm/ and temporary package directories
- Configure audit rules to log all symlink and hardlink creation events: auditctl -w /var/lib/rpm/ -p wa -k rpm_race
- Monitor for privilege escalation indicators following any RPM package operations
- Review system logs for failed RPM operations that may indicate exploitation attempts
How to Mitigate CVE-2021-35937
Immediate Actions Required
- Update RPM to version 4.18.0 or later which contains the fix for this vulnerability
- Apply vendor-specific patches from Red Hat, Fedora, or your Linux distribution
- Restrict local user access on critical systems to minimize attack surface
- Monitor systems for exploitation attempts while patches are being deployed
Patch Information
The vulnerability has been addressed in RPM version 4.18.0. Vendors have released patches through their respective security advisory channels:
- Red Hat CVE Advisory - Official Red Hat security information and patch availability
- Red Hat Bug Report - Detailed bug tracking and patch status
- RPM 4.18.0 Release Notes - Upstream fix information
- Gentoo GLSA 2022-22 - Gentoo Linux security advisory
Apply updates through your distribution's package manager to receive the patched version of RPM.
Workarounds
- Limit local user access to systems where RPM operations are performed regularly
- Implement mandatory access control (SELinux/AppArmor) policies to restrict symlink operations during package installation
- Consider running RPM operations in isolated environments or containers where possible
- Temporarily restrict package installation to maintenance windows with reduced local user activity
# Enable SELinux protection for RPM operations
setsebool -P rpm_enable_homedirs off
# Add audit rules to monitor for exploitation attempts
auditctl -w /var/lib/rpm/ -p wa -k rpm_symlink_race
auditctl -a always,exit -F arch=b64 -S symlink -S symlinkat -k symlink_creation
# Verify RPM version after patching
rpm --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
