CVE-2021-35939 Overview
CVE-2021-35939 is a symbolic link following (symlink attack) vulnerability affecting the RPM Package Manager. The flaw stems from an incomplete fix for CVE-2017-7500 and CVE-2017-7501, where the security check was only implemented for the parent directory of the file to be created during package installation. A local unprivileged user who owns another ancestor directory could potentially exploit this flaw to gain root privileges during RPM package operations.
Critical Impact
This vulnerability enables local privilege escalation to root through symlink manipulation during package installation, threatening data confidentiality, integrity, and system availability.
Affected Products
- RPM Package Manager (all versions prior to 4.18.0)
- Red Hat Enterprise Linux 8.0
- Linux distributions utilizing vulnerable RPM versions
Discovery Timeline
- 2022-08-26 - CVE-2021-35939 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-35939
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The flaw exists in how RPM validates directory paths during file installation operations. While previous patches for CVE-2017-7500 and CVE-2017-7501 added validation checks for the immediate parent directory of files being created, the fix failed to account for validation of all ancestor directories in the path hierarchy.
When RPM installs files, it traverses the directory path and creates necessary directories. An attacker who controls an ancestor directory (other than the immediate parent) can create a symbolic link pointing to a sensitive location. When RPM follows this symlink during installation with elevated privileges, it may write files to unintended locations, allowing the attacker to overwrite critical system files or place malicious executables in privileged paths.
The vulnerability requires local access and the ability to control an ancestor directory in the installation path, but successful exploitation can result in complete system compromise through root privilege escalation.
Root Cause
The root cause is an incomplete security fix that only validated the immediate parent directory during file creation operations. The validation logic failed to recursively check all intermediate directories in the path for symbolic links that could redirect file operations to unauthorized locations. This oversight allowed attackers to bypass the security check by placing malicious symlinks in grandparent or higher-level ancestor directories.
Attack Vector
The attack requires local access and ownership of an ancestor directory in the file installation path. An attacker would:
- Identify an RPM package that installs files to a predictable path
- Create or control an ancestor directory in that path
- Replace the legitimate directory with a symbolic link to a target location (e.g., /etc/, /usr/bin/)
- Wait for or trigger an RPM installation operation running as root
- RPM follows the symlink and writes files to the attacker-controlled destination with root privileges
The security patch addresses this by implementing comprehensive path validation using POSIX functions like openat, mkdirat, and fstatat to safely traverse and validate intermediate symlinks during installation:
which is available from
http://www.gnu.org/
+Rpm requires a POSIX.1-2008 level operating system.
+
To compile RPM:
--------------
Source: GitHub RPM Commit 96ec957
The configure.ac changes add required POSIX functions for secure directory operations:
AC_CHECK_FUNCS(
[mkstemp getcwd basename dirname realpath setenv unsetenv regcomp lchown \
- utimes getline localtime_r statvfs getaddrinfo ],
+ utimes getline localtime_r statvfs getaddrinfo \
+ openat mkdirat fstatat ],
[], [AC_MSG_ERROR([function required by rpm])])
AC_LIBOBJ(fnmatch)
Source: GitHub RPM Commit 96ec957
Detection Methods for CVE-2021-35939
Indicators of Compromise
- Unexpected symbolic links in directory paths where RPM packages install files
- Suspicious ownership of directories in system paths by non-root users
- Unexplained modifications to system files following RPM operations
- Audit logs showing file creation in unexpected locations during package installation
Detection Strategies
- Monitor file system operations during RPM transactions using auditd rules for symlink creation
- Implement integrity monitoring on critical system directories (/etc/, /usr/bin/, /usr/lib/)
- Review directory ownership and permissions for unusual non-root ownership in system paths
- Use rpm -V (verify) commands to detect unauthorized file modifications in installed packages
Monitoring Recommendations
- Configure auditd to monitor symlink(), symlinkat(), link(), and linkat() system calls in sensitive paths
- Enable SELinux or AppArmor policies to restrict symlink following during package operations
- Implement file integrity monitoring (FIM) solutions to detect unauthorized changes to system files
- Review RPM transaction logs (/var/log/dnf.log or /var/log/yum.log) for anomalous installation patterns
How to Mitigate CVE-2021-35939
Immediate Actions Required
- Upgrade RPM to version 4.18.0 or later which contains the complete security fix
- Apply vendor-specific patches from Red Hat or your Linux distribution
- Audit directory ownership in paths where packages are installed for unauthorized user ownership
- Restrict write access to system directories and implement stricter directory permission policies
Patch Information
The vulnerability has been addressed in RPM version 4.18.0 with commit 96ec957e281220f8e137a2d5eb23b83a6377d556. The patch implements comprehensive validation of intermediate symlinks during installation using POSIX.1-2008 functions (openat, mkdirat, fstatat) that allow safe traversal of directory paths without following symbolic links unexpectedly.
For Red Hat Enterprise Linux systems, refer to the Red Hat CVE-2021-35939 Advisory for distribution-specific patches. Gentoo users should refer to GLSA 202210-22 for update instructions.
Workarounds
- Ensure all directories in package installation paths are owned by root and have appropriate permissions (typically 755)
- Use SELinux in enforcing mode to restrict symlink following behavior
- Implement mandatory access control policies to limit which processes can create symbolic links in system paths
- Regularly audit and remove any unauthorized symbolic links in system directories
# Audit directory ownership in common installation paths
find /usr /etc /var -type d ! -user root -ls 2>/dev/null
# Check for unexpected symbolic links in system paths
find /usr /etc /var -type l -ls 2>/dev/null
# Verify RPM version includes security fix
rpm --version
# Upgrade to 4.18.0 or later if vulnerable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
